From afaad4fe81b15f4abb99ab84de8a4cb85c172653 Mon Sep 17 00:00:00 2001
From: Dustin Lee <dlee35@gmail.com>
Date: Thu, 9 May 2019 11:34:06 -0400
Subject: [PATCH 01/66] s/Installing ElasticSearch/Installing Kibana/

---
 so-setup-network.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index b31e86369..b9f98e5ee 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1880,7 +1880,7 @@ if (whiptail_you_sure); then
       salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
       echo -e "XXX\n40\nInstalling Logstash... \nXXX"
       salt-call state.apply logstash >>~/sosetup.log 2>&1
-      echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX"
+      echo -e "XXX\n45\nInstalling Kibana... \nXXX"
       salt-call state.apply kibana >>~/sosetup.log 2>&1
       echo -e "XXX\n50\nInstalling pcap... \nXXX"
       salt-call state.apply pcap >>~/sosetup.log 2>&1

From 7778b99ad221402eb0667a7d862a7d05a490ec28 Mon Sep 17 00:00:00 2001
From: Dustin Lee <dustin@trustfall.local>
Date: Wed, 15 May 2019 15:25:00 -0400
Subject: [PATCH 02/66] avoid installing registry on eval

---
 so-setup-network.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index b9f98e5ee..487320f7f 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -365,7 +365,9 @@ docker_install() {
     yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
     yum -y update
     yum -y install docker-ce docker-python python-docker
-    docker_registry
+    if [ $INSTALLTYPE != 'EVALMODE'  ]; then
+      docker_registry
+    fi
     echo "Restarting Docker" >>~/sosetup.log 2>&1
     systemctl restart docker
     systemctl enable docker
@@ -374,7 +376,9 @@ docker_install() {
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
       apt-get update >>~/sosetup.log 2>&1
       apt-get -y install docker-ce >>~/sosetup.log 2>&1
-      docker_registry >>~/sosetup.log 2>&1
+      if [ $INSTALLTYPE != 'EVALMODE'  ]; then
+        docker_registry >>~/sosetup.log 2>&1
+      fi
       echo "Restarting Docker" >>~/sosetup.log 2>&1
       systemctl restart docker >>~/sosetup.log 2>&1
     else

From 276cd02d12e8168b80f8e2d9404ca7c42d22ae29 Mon Sep 17 00:00:00 2001
From: Dustin Lee <dlee35@gmail.com>
Date: Wed, 15 May 2019 16:24:13 -0400
Subject: [PATCH 03/66] force reinstantiation of new hive container

---
 salt/hive/init.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 9bdb2c35d..81032b401 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -97,6 +97,7 @@ so-thehive:
       - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro
     - port_bindings:
       - 0.0.0.0:9000:9000
+    - force: true
 
 hivescript:
   cmd.script:

From 707e0e378a9206f411f206b39619547c68d40ddc Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 16 May 2019 13:25:02 +0000
Subject: [PATCH 04/66] ensure setup log is consistent

---
 so-setup-network.sh | 355 ++++++++++++++++++++++----------------------
 1 file changed, 178 insertions(+), 177 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 487320f7f..c1285c5b1 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -23,23 +23,24 @@ CPUCORES=$(cat /proc/cpuinfo | grep processor | wc -l)
 LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}')
 RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
 NODE_ES_PORT="9200"
+SETUPLOG="/root/sosetup.log"
 
 # Reset the Install Log
-date -u >~/sosetup.log 2>&1
+date -u >$SETUPLOG 2>&1
 
 # End Global Variable Section
 
 # Functions
 
 accept_salt_key_local() {
-  echo "Accept the key locally on the master" >>~/sosetup.log 2>&1
+  echo "Accept the key locally on the master" >>$SETUPLOG 2>&1
   # Accept the key locally on the master
   salt-key -ya $HOSTNAME
 
 }
 
 accept_salt_key_remote() {
-  echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1
+  echo "Accept the key remotely on the master" >>$SETUPLOG 2>&1
   # Delete the key just in case.
   ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
   salt-call state.apply ca
@@ -48,7 +49,7 @@ accept_salt_key_remote() {
 }
 
 add_master_hostfile() {
-  echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1
+  echo "Checking if I can resolve master. If not add to hosts file" >>$SETUPLOG 2>&1
   # Pop up an input to get the IP address
   local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
   "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
@@ -60,7 +61,7 @@ add_master_hostfile() {
 }
 
 add_socore_user_master() {
-  echo "Add socore on the master" >>~/sosetup.log 2>&1
+  echo "Add socore on the master" >>$SETUPLOG 2>&1
   if [ $OS == 'centos' ]; then
     local ADDUSER=adduser
   else
@@ -75,7 +76,7 @@ add_socore_user_master() {
 }
 
 add_socore_user_notmaster() {
-  echo "Add socore user on non master" >>~/sosetup.log 2>&1
+  echo "Add socore user on non master" >>$SETUPLOG 2>&1
   # Add socore user to the non master system. Probably not a bad idea to make system user
   groupadd --gid 939 socore
   $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
@@ -86,7 +87,7 @@ add_socore_user_notmaster() {
 auth_pillar(){
 
   if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
-    echo "Creating Auth Pillar" >>~/sosetup.log 2>&1
+    echo "Creating Auth Pillar" >>$SETUPLOG 2>&1
     mkdir -p /opt/so/saltstack/pillar
     echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
     echo "  mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
@@ -97,7 +98,7 @@ auth_pillar(){
 
 # Enable Bro Logs
 bro_logs_enabled() {
-  echo "Enabling Bro Logs" >>~/sosetup.log 2>&1
+  echo "Enabling Bro Logs" >>$SETUPLOG 2>&1
 
   echo "brologs:" > pillar/brologs.sls
   echo "  enabled:" >> pillar/brologs.sls
@@ -163,13 +164,13 @@ calculate_useable_cores() {
 }
 
 checkin_at_boot() {
-  echo "Enabling checkin at boot" >>~/sosetup.log 2>&1
+  echo "Enabling checkin at boot" >>$SETUPLOG 2>&1
   echo "startup_states: highstate" >> /etc/salt/minion
 }
 
 chown_salt_master() {
 
-  echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1
+  echo "Chown the salt dirs on the master for socore" >>$SETUPLOG 2>&1
   chown -R socore:socore /opt/so
 
 }
@@ -178,7 +179,7 @@ clear_master() {
   # Clear out the old master public key in case this is a re-install.
   # This only happens if you re-install the master.
   if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
-    echo "Clearing old master key" >>~/sosetup.log 2>&1
+    echo "Clearing old master key" >>$SETUPLOG 2>&1
     rm /etc/salt/pki/minion/minion_master.pub
     service salt-minion restart
   fi
@@ -189,7 +190,7 @@ configure_minion() {
 
   # You have to pass the TYPE to this function so it knows if its a master or not
   local TYPE=$1
-  echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1
+  echo "Configuring minion type as $TYPE" >>$SETUPLOG 2>&1
   touch /etc/salt/grains
   echo "role: so-$TYPE" > /etc/salt/grains
   if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
@@ -229,7 +230,7 @@ copy_minion_pillar() {
   local TYPE=$1
 
   # Copy over the pillar
-  echo "Copying the pillar over" >>~/sosetup.log 2>&1
+  echo "Copying the pillar over" >>$SETUPLOG 2>&1
   scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
 
   }
@@ -248,7 +249,7 @@ copy_ssh_key() {
 create_bond() {
 
   # Create the bond interface
-  echo "Setting up Bond" >>~/sosetup.log 2>&1
+  echo "Setting up Bond" >>$SETUPLOG 2>&1
 
   # Set the MTU
   if [ $NSMSETUP != 'ADVANCED' ]; then
@@ -277,17 +278,17 @@ create_bond() {
       echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
       echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
     done
-    nmcli con reload >>~/sosetup.log 2>&1
-    systemctl restart network >>~/sosetup.log 2>&1
+    nmcli con reload >>$SETUPLOG 2>&1
+    systemctl restart network >>$SETUPLOG 2>&1
 
   else
 
     # Need to add 17.04 support still
-    apt-get -y install ifenslave >>~/sosetup.log 2>&1
+    apt-get -y install ifenslave >>$SETUPLOG 2>&1
     if ! grep -q bonding /etc/modules; then
       echo "bonding" >> /etc/modules
     fi
-    modprobe bonding >>~/sosetup.log 2>&1
+    modprobe bonding >>$SETUPLOG 2>&1
 
     local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
     local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
@@ -344,14 +345,14 @@ create_bond() {
 detect_os() {
 
   # Detect Base OS
-  echo "Detecting Base OS" >>~/sosetup.log 2>&1
+  echo "Detecting Base OS" >>$SETUPLOG 2>&1
   if [ -f /etc/redhat-release ]; then
     OS=centos
     yum -y install bind-utils
   elif [ -f /etc/os-release ]; then
     OS=ubuntu
   else
-    echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1
+    echo "We were unable to determine if you are using a supported OS." >>$SETUPLOG 2>&1
     exit
   fi
 
@@ -368,27 +369,27 @@ docker_install() {
     if [ $INSTALLTYPE != 'EVALMODE'  ]; then
       docker_registry
     fi
-    echo "Restarting Docker" >>~/sosetup.log 2>&1
+    echo "Restarting Docker" >>$SETUPLOG 2>&1
     systemctl restart docker
     systemctl enable docker
 
   else
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install docker-ce >>~/sosetup.log 2>&1
+      apt-get update >>$SETUPLOG 2>&1
+      apt-get -y install docker-ce >>$SETUPLOG 2>&1
       if [ $INSTALLTYPE != 'EVALMODE'  ]; then
-        docker_registry >>~/sosetup.log 2>&1
+        docker_registry >>$SETUPLOG 2>&1
       fi
-      echo "Restarting Docker" >>~/sosetup.log 2>&1
-      systemctl restart docker >>~/sosetup.log 2>&1
+      echo "Restarting Docker" >>$SETUPLOG 2>&1
+      systemctl restart docker >>$SETUPLOG 2>&1
     else
-      apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1
-      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install docker-ce >>~/sosetup.log 2>&1
-      docker_registry >>~/sosetup.log 2>&1
-      echo "Restarting Docker" >>~/sosetup.log 2>&1
-      systemctl restart docker >>~/sosetup.log 2>&1
+      apt-key add $TMP/gpg/docker.pub >>$SETUPLOG 2>&1
+      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>$SETUPLOG 2>&1
+      apt-get update >>$SETUPLOG 2>&1
+      apt-get -y install docker-ce >>$SETUPLOG 2>&1
+      docker_registry >>$SETUPLOG 2>&1
+      echo "Restarting Docker" >>$SETUPLOG 2>&1
+      systemctl restart docker >>$SETUPLOG 2>&1
     fi
   fi
 
@@ -396,13 +397,13 @@ docker_install() {
 
 docker_registry() {
 
-  echo "Setting up Docker Registry" >>~/sosetup.log 2>&1
-  mkdir -p /etc/docker >>~/sosetup.log 2>&1
+  echo "Setting up Docker Registry" >>$SETUPLOG 2>&1
+  mkdir -p /etc/docker >>$SETUPLOG 2>&1
   # Make the host use the master docker registry
   echo "{" > /etc/docker/daemon.json
   echo "  \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
   echo "}" >> /etc/docker/daemon.json
-  echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1
+  echo "Docker Registry Setup - Complete" >>$SETUPLOG 2>&1
 
 }
 
@@ -501,7 +502,7 @@ install_master() {
 
   # Install the salt master package
   if [ $OS == 'centos' ]; then
-    yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1
+    yum -y install wget salt-common salt-master >>$SETUPLOG 2>&1
 
     # Create a place for the keys for Ubuntu minions
     mkdir -p /opt/so/gpg
@@ -814,7 +815,7 @@ EOF
     DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
 
     # Add the pre-requisites for installing docker-ce
-    apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >>~/sosetup.log 2>&1
+    apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >>$SETUPLOG 2>&1
 
     # Grab the version from the os-release file
     UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
@@ -844,8 +845,8 @@ EOF
       echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
 
       # Initialize the new repos
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
+      apt-get update >>$SETUPLOG 2>&1
+      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>$SETUPLOG 2>&1
       apt-mark hold salt-minion salt-common
 
     else
@@ -858,8 +859,8 @@ EOF
       echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
       echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
       # Initialize the new repos
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
+      apt-get update >>$SETUPLOG 2>&1
+      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>$SETUPLOG 2>&1
       apt-mark hold salt-minion salt-common
 
     fi
@@ -872,25 +873,25 @@ salt_checkin() {
   # Master State to Fix Mine Usage
   if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
   echo "Building Certificate Authority"
-  salt-call state.apply ca >>~/sosetup.log 2>&1
+  salt-call state.apply ca >>$SETUPLOG 2>&1
   echo " *** Restarting Salt to fix any SSL errors. ***"
-  service salt-master restart >>~/sosetup.log 2>&1
+  service salt-master restart >>$SETUPLOG 2>&1
   sleep 5
-  service salt-minion restart >>~/sosetup.log 2>&1
+  service salt-minion restart >>$SETUPLOG 2>&1
   sleep 15
   echo " Applyng a mine hack "
-  sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1
+  sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>$SETUPLOG 2>&1
   echo " Applying SSL state "
-  salt-call state.apply ssl >>~/sosetup.log 2>&1
+  salt-call state.apply ssl >>$SETUPLOG 2>&1
   echo "Still Working... Hang in there"
   #salt-call state.highstate
 
   else
 
   # Run Checkin
-  salt-call state.apply ca >>~/sosetup.log 2>&1
-  salt-call state.apply ssl >>~/sosetup.log 2>&1
-  #salt-call state.highstate >>~/sosetup.log 2>&1
+  salt-call state.apply ca >>$SETUPLOG 2>&1
+  salt-call state.apply ssl >>$SETUPLOG 2>&1
+  #salt-call state.highstate >>$SETUPLOG 2>&1
 
   fi
 
@@ -911,7 +912,7 @@ salt_checkin_message() {
 salt_firstcheckin() {
 
   #First Checkin
-  salt-call state.highstate >>~/sosetup.log 2>&1
+  salt-call state.highstate >>$SETUPLOG 2>&1
 
 }
 
@@ -1468,7 +1469,7 @@ whiptail_setup_complete() {
 
 whiptail_setup_failed() {
 
-  whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78
+  whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details" 8 78
   install_cleanup
   exit
 
@@ -1627,83 +1628,83 @@ if (whiptail_you_sure); then
     {
       sleep 0.5
       echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
-      echo " ** Installing Salt and Dependencies **" >>~/sosetup.log
-      saltify >>~/sosetup.log 2>&1
+      echo " ** Installing Salt and Dependencies **" >>$SETUPLOG
+      saltify >>$SETUPLOG 2>&1
       echo -e "XXX\n5\nInstalling Docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
+      docker_install >>$SETUPLOG 2>&1
       echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
-      echo " ** Configuring Minion **" >>~/sosetup.log
-      configure_minion master >>~/sosetup.log 2>&1
-      echo " ** Installing Salt Master **" >>~/sosetup.log
-      install_master >>~/sosetup.log 2>&1
-      salt_master_directories >>~/sosetup.log 2>&1
-      update_sudoers >>~/sosetup.log 2>&1
-      chown_salt_master >>~/sosetup.log 2>&1
-      es_heapsize >>~/sosetup.log 2>&1
-      ls_heapsize >>~/sosetup.log 2>&1
+      echo " ** Configuring Minion **" >>$SETUPLOG
+      configure_minion master >>$SETUPLOG 2>&1
+      echo " ** Installing Salt Master **" >>$SETUPLOG
+      install_master >>$SETUPLOG 2>&1
+      salt_master_directories >>$SETUPLOG 2>&1
+      update_sudoers >>$SETUPLOG 2>&1
+      chown_salt_master >>$SETUPLOG 2>&1
+      es_heapsize >>$SETUPLOG 2>&1
+      ls_heapsize >>$SETUPLOG 2>&1
       echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
-      master_static >>~/sosetup.log 2>&1
-      echo "** Generating the master pillar **" >>~/sosetup.log
-      master_pillar >>~/sosetup.log 2>&1
+      master_static >>$SETUPLOG 2>&1
+      echo "** Generating the master pillar **" >>$SETUPLOG
+      master_pillar >>$SETUPLOG 2>&1
       echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
       # Do a checkin to push the key up
-      echo "** Pushing the key up to Master **" >>~/sosetup.log
-      salt_firstcheckin >>~/sosetup.log 2>&1
+      echo "** Pushing the key up to Master **" >>$SETUPLOG
+      salt_firstcheckin >>$SETUPLOG 2>&1
       # Accept the Master Key
-      echo "** Accepting the key on the master **" >>~/sosetup.log
-      accept_salt_key_local >>~/sosetup.log 2>&1
+      echo "** Accepting the key on the master **" >>$SETUPLOG
+      accept_salt_key_local >>$SETUPLOG 2>&1
       echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
       # Open the firewall
-      echo "** Setting the initial firewall policy **" >>~/sosetup.log
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      echo "** Setting the initial firewall policy **" >>$SETUPLOG
+      set_initial_firewall_policy >>$SETUPLOG 2>&1
       # Do the big checkin but first let them know it will take a bit.
       echo -e "XXX\n40\nGenerating CA... \nXXX"
-      salt_checkin >>~/sosetup.log 2>&1
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      salt_checkin >>$SETUPLOG 2>&1
+      salt-call state.apply ca >>$SETUPLOG 2>&1
+      salt-call state.apply ssl >>$SETUPLOG 2>&1
       echo -e "XXX\n43\nInstalling Common Components... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
+      salt-call state.apply common >>$SETUPLOG 2>&1
       echo -e "XXX\n45\nApplying firewall rules... \nXXX"
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
-      salt-call state.apply master >>~/sosetup.log 2>&1
-      salt-call state.apply idstools >>~/sosetup.log 2>&1
+      salt-call state.apply firewall >>$SETUPLOG 2>&1
+      salt-call state.apply master >>$SETUPLOG 2>&1
+      salt-call state.apply idstools >>$SETUPLOG 2>&1
       echo -e "XXX\n40\nInstalling Redis... \nXXX"
-      salt-call state.apply redis >>~/sosetup.log 2>&1
+      salt-call state.apply redis >>$SETUPLOG 2>&1
       if [[ $OSQUERY == '1' ]]; then
         echo -e "XXX\n41\nInstalling MySQL... \nXXX"
-        salt-call state.apply mysql >>~/sosetup.log 2>&1
+        salt-call state.apply mysql >>$SETUPLOG 2>&1
       fi
       echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
-      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
-      salt-call state.apply logstash >>~/sosetup.log 2>&1
-      salt-call state.apply kibana >>~/sosetup.log 2>&1
-      salt-call state.apply elastalert >>~/sosetup.log 2>&1
+      salt-call state.apply elasticsearch >>$SETUPLOG 2>&1
+      salt-call state.apply logstash >>$SETUPLOG 2>&1
+      salt-call state.apply kibana >>$SETUPLOG 2>&1
+      salt-call state.apply elastalert >>$SETUPLOG 2>&1
       if [[ $WAZUH == '1' ]]; then
         echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
-        salt-call state.apply wazuh >>~/sosetup.log 2>&1
+        salt-call state.apply wazuh >>$SETUPLOG 2>&1
       fi
       echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
-      salt-call state.apply filebeat >>~/sosetup.log 2>&1
-      salt-call state.apply utility >>~/sosetup.log 2>&1
-      salt-call state.apply schedule >>~/sosetup.log 2>&1
+      salt-call state.apply filebeat >>$SETUPLOG 2>&1
+      salt-call state.apply utility >>$SETUPLOG 2>&1
+      salt-call state.apply schedule >>$SETUPLOG 2>&1
       if [[ $OSQUERY == '1' ]]; then
         echo -e "XXX\n79\nInstalling Fleet... \nXXX"
-        salt-call state.apply fleet >>~/sosetup.log 2>&1
-        salt-call state.apply launcher >>~/sosetup.log 2>&1
+        salt-call state.apply fleet >>$SETUPLOG 2>&1
+        salt-call state.apply launcher >>$SETUPLOG 2>&1
       fi
       echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
-      salt-call state.apply soctopus >>~/sosetup.log 2>&1
+      salt-call state.apply soctopus >>$SETUPLOG 2>&1
       if [[ $THEHIVE == '1' ]]; then
         echo -e "XXX\n87\nInstalling TheHive... \nXXX"
-        salt-call state.apply hive >>~/sosetup.log 2>&1
+        salt-call state.apply hive >>$SETUPLOG 2>&1
       fi
       echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
-      checkin_at_boot >>~/sosetup.log 2>&1
+      checkin_at_boot >>$SETUPLOG 2>&1
       echo -e "XXX\n95\nVerifying Install... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
+      salt-call state.highstate >>$SETUPLOG 2>&1
 
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
     if [[ $GOODSETUP == '0' ]]; then
       whiptail_setup_complete
     else
@@ -1744,39 +1745,39 @@ if (whiptail_you_sure); then
     {
       sleep 0.5
       echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      set_initial_firewall_policy >>$SETUPLOG 2>&1
       echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
-      create_bond >>~/sosetup.log 2>&1
+      create_bond >>$SETUPLOG 2>&1
       echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
-      sensor_pillar >>~/sosetup.log 2>&1
+      sensor_pillar >>$SETUPLOG 2>&1
       echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
-      saltify >>~/sosetup.log 2>&1
+      saltify >>$SETUPLOG 2>&1
       echo -e "XXX\n20\nInstalling Docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
+      docker_install >>$SETUPLOG 2>&1
       echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
-      configure_minion sensor >>~/sosetup.log 2>&1
+      configure_minion sensor >>$SETUPLOG 2>&1
       echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
-      copy_minion_pillar sensors >>~/sosetup.log 2>&1
+      copy_minion_pillar sensors >>$SETUPLOG 2>&1
       echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
-      salt_firstcheckin >>~/sosetup.log 2>&1
+      salt_firstcheckin >>$SETUPLOG 2>&1
       echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
       # Accept the Salt Key
-      accept_salt_key_remote >>~/sosetup.log 2>&1
+      accept_salt_key_remote >>$SETUPLOG 2>&1
       echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      salt-call state.apply ca >>$SETUPLOG 2>&1
+      salt-call state.apply ssl >>$SETUPLOG 2>&1
       echo -e "XXX\n35\nInstalling Core Components... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      salt-call state.apply common >>$SETUPLOG 2>&1
+      salt-call state.apply firewall >>$SETUPLOG 2>&1
       echo -e "XXX\n50\nInstalling PCAP... \nXXX"
-      salt-call state.apply pcap >>~/sosetup.log 2>&1
+      salt-call state.apply pcap >>$SETUPLOG 2>&1
       echo -e "XXX\n60\nInstalling IDS components... \nXXX"
-      salt-call state.apply suricata >>~/sosetup.log 2>&1
+      salt-call state.apply suricata >>$SETUPLOG 2>&1
       echo -e "XXX\n80\nVerifying Install... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
-      checkin_at_boot >>~/sosetup.log 2>&1
+      salt-call state.highstate >>$SETUPLOG 2>&1
+      checkin_at_boot >>$SETUPLOG 2>&1
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
     if [[ $GOODSETUP == '0' ]]; then
       whiptail_setup_complete
     else
@@ -1836,91 +1837,91 @@ if (whiptail_you_sure); then
     {
       sleep 0.5
       echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
-      create_bond >>~/sosetup.log 2>&1
+      create_bond >>$SETUPLOG 2>&1
       echo -e "XXX\n1\nInstalling saltstack... \nXXX"
-      saltify >>~/sosetup.log 2>&1
+      saltify >>$SETUPLOG 2>&1
       echo -e "XXX\n3\nInstalling docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
+      docker_install >>$SETUPLOG 2>&1
       echo -e "XXX\n5\nInstalling master code... \nXXX"
-      install_master >>~/sosetup.log 2>&1
+      install_master >>$SETUPLOG 2>&1
       echo -e "XXX\n6\nCopying salt code... \nXXX"
-      salt_master_directories >>~/sosetup.log 2>&1
+      salt_master_directories >>$SETUPLOG 2>&1
       echo -e "XXX\n6\nupdating suduers... \nXXX"
-      update_sudoers >>~/sosetup.log 2>&1
+      update_sudoers >>$SETUPLOG 2>&1
       echo -e "XXX\n7\nFixing some permissions... \nXXX"
-      chown_salt_master >>~/sosetup.log 2>&1
+      chown_salt_master >>$SETUPLOG 2>&1
       echo -e "XXX\n7\nCreating the static pillar... \nXXX"
       # Set the static values
-      master_static >>~/sosetup.log 2>&1
+      master_static >>$SETUPLOG 2>&1
       echo -e "XXX\n7\nCreating the master pillar... \nXXX"
-      master_pillar >>~/sosetup.log 2>&1
+      master_pillar >>$SETUPLOG 2>&1
       echo -e "XXX\n7\nConfiguring minion... \nXXX"
-      configure_minion eval >>~/sosetup.log 2>&1
+      configure_minion eval >>$SETUPLOG 2>&1
       echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
-      set_node_type >>~/sosetup.log 2>&1
+      set_node_type >>$SETUPLOG 2>&1
       echo -e "XXX\n7\nStorage node pillar... \nXXX"
-      node_pillar >>~/sosetup.log 2>&1
+      node_pillar >>$SETUPLOG 2>&1
       echo -e "XXX\n8\nCreating firewall policies... \nXXX"
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      set_initial_firewall_policy >>$SETUPLOG 2>&1
       echo -e "XXX\n10\nRegistering agent... \nXXX"
-      salt_firstcheckin >>~/sosetup.log 2>&1
+      salt_firstcheckin >>$SETUPLOG 2>&1
       echo -e "XXX\n11\nAccepting Agent... \nXXX"
-      accept_salt_key_local >>~/sosetup.log 2>&1
+      accept_salt_key_local >>$SETUPLOG 2>&1
       echo -e "XXX\n12\nRunning the SSL states... \nXXX"
-      salt_checkin >>~/sosetup.log 2>&1
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      salt_checkin >>$SETUPLOG 2>&1
+      salt-call state.apply ca >>$SETUPLOG 2>&1
+      salt-call state.apply ssl >>$SETUPLOG 2>&1
       echo -e "XXX\n15\nInstalling core components... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
+      salt-call state.apply common >>$SETUPLOG 2>&1
       echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      salt-call state.apply firewall >>$SETUPLOG 2>&1
       echo -e "XXX\n25\nInstalling master components... \nXXX"
-      salt-call state.apply master >>~/sosetup.log 2>&1
-      salt-call state.apply idstools >>~/sosetup.log 2>&1
+      salt-call state.apply master >>$SETUPLOG 2>&1
+      salt-call state.apply idstools >>$SETUPLOG 2>&1
       if [[ $OSQUERY == '1' ]]; then
-        salt-call state.apply mysql >>~/sosetup.log 2>&1
+        salt-call state.apply mysql >>$SETUPLOG 2>&1
       fi
       echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
-      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      salt-call state.apply elasticsearch >>$SETUPLOG 2>&1
       echo -e "XXX\n40\nInstalling Logstash... \nXXX"
-      salt-call state.apply logstash >>~/sosetup.log 2>&1
+      salt-call state.apply logstash >>$SETUPLOG 2>&1
       echo -e "XXX\n45\nInstalling Kibana... \nXXX"
-      salt-call state.apply kibana >>~/sosetup.log 2>&1
+      salt-call state.apply kibana >>$SETUPLOG 2>&1
       echo -e "XXX\n50\nInstalling pcap... \nXXX"
-      salt-call state.apply pcap >>~/sosetup.log 2>&1
+      salt-call state.apply pcap >>$SETUPLOG 2>&1
       echo -e "XXX\n52\nInstalling Suricata... \nXXX"
-      salt-call state.apply suricata >>~/sosetup.log 2>&1
+      salt-call state.apply suricata >>$SETUPLOG 2>&1
       echo -e "XXX\n54\nInstalling Zeek... \nXXX"
-      salt-call state.apply bro >>~/sosetup.log 2>&1
+      salt-call state.apply bro >>$SETUPLOG 2>&1
       echo -e "XXX\n56\nInstalling curator... \nXXX"
-      salt-call state.apply curator >>~/sosetup.log 2>&1
+      salt-call state.apply curator >>$SETUPLOG 2>&1
       echo -e "XXX\n58\nInstalling elastalert... \nXXX"
-      salt-call state.apply elastalert >>~/sosetup.log 2>&1
+      salt-call state.apply elastalert >>$SETUPLOG 2>&1
       if [[ $OSQUERY == '1' ]]; then
         echo -e "XXX\n60\nInstalling fleet... \nXXX"
-        salt-call state.apply fleet >>~/sosetup.log 2>&1
-        salt-call state.apply redis >>~/sosetup.log 2>&1
+        salt-call state.apply fleet >>$SETUPLOG 2>&1
+        salt-call state.apply redis >>$SETUPLOG 2>&1
       fi
       if [[ $WAZUH == '1' ]]; then
         echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
-        salt-call state.apply wazuh >>~/sosetup.log 2>&1
+        salt-call state.apply wazuh >>$SETUPLOG 2>&1
       fi
       echo -e "XXX\n85\nInstalling filebeat... \nXXX"
-      salt-call state.apply filebeat >>~/sosetup.log 2>&1
-      salt-call state.apply utility >>~/sosetup.log 2>&1
+      salt-call state.apply filebeat >>$SETUPLOG 2>&1
+      salt-call state.apply utility >>$SETUPLOG 2>&1
       echo -e "XXX\n95\nInstalling misc components... \nXXX"
-      salt-call state.apply schedule >>~/sosetup.log 2>&1
-      salt-call state.apply soctopus >>~/sosetup.log 2>&1
+      salt-call state.apply schedule >>$SETUPLOG 2>&1
+      salt-call state.apply soctopus >>$SETUPLOG 2>&1
       if [[ $THEHIVE == '1' ]]; then
-        salt-call state.apply hive >>~/sosetup.log 2>&1
+        salt-call state.apply hive >>$SETUPLOG 2>&1
       fi
       echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
-      checkin_at_boot >>~/sosetup.log 2>&1
+      checkin_at_boot >>$SETUPLOG 2>&1
       echo -e "XXX\n99\nVerifying Setup... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
+      salt-call state.highstate >>$SETUPLOG 2>&1
 
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
     if [ $OS == 'centos' ]; then
       if [[ $GOODSETUP == '1' ]]; then
         whiptail_setup_complete
@@ -1976,37 +1977,37 @@ if (whiptail_you_sure); then
     {
       sleep 0.5
       echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      set_initial_firewall_policy >>$SETUPLOG 2>&1
       echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
-      saltify >>~/sosetup.log 2>&1
+      saltify >>$SETUPLOG 2>&1
       echo -e "XXX\n20\nInstalling Docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
+      docker_install >>$SETUPLOG 2>&1
       echo -e "XXX\n30\nInitializing Minion... \nXXX"
-      configure_minion node >>~/sosetup.log 2>&1
-      set_node_type >>~/sosetup.log 2>&1
-      node_pillar >>~/sosetup.log 2>&1
-      copy_minion_pillar nodes >>~/sosetup.log 2>&1
+      configure_minion node >>$SETUPLOG 2>&1
+      set_node_type >>$SETUPLOG 2>&1
+      node_pillar >>$SETUPLOG 2>&1
+      copy_minion_pillar nodes >>$SETUPLOG 2>&1
       echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
-      salt_firstcheckin >>~/sosetup.log 2>&1
+      salt_firstcheckin >>$SETUPLOG 2>&1
       # Accept the Salt Key
-      accept_salt_key_remote >>~/sosetup.log 2>&1
+      accept_salt_key_remote >>$SETUPLOG 2>&1
       echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      salt-call state.apply ca >>$SETUPLOG 2>&1
+      salt-call state.apply ssl >>$SETUPLOG 2>&1
       echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      salt-call state.apply common >>$SETUPLOG 2>&1
+      salt-call state.apply firewall >>$SETUPLOG 2>&1
       echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
-      salt-call state.apply logstash >>~/sosetup.log 2>&1
-      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
-      salt-call state.apply curator >>~/sosetup.log 2>&1
-      salt-call state.apply filebeat >>~/sosetup.log 2>&1
+      salt-call state.apply logstash >>$SETUPLOG 2>&1
+      salt-call state.apply elasticsearch >>$SETUPLOG 2>&1
+      salt-call state.apply curator >>$SETUPLOG 2>&1
+      salt-call state.apply filebeat >>$SETUPLOG 2>&1
       echo -e "XXX\n90\nVerifying Install... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
-      checkin_at_boot >>~/sosetup.log 2>&1
+      salt-call state.highstate >>$SETUPLOG 2>&1
+      checkin_at_boot >>$SETUPLOG 2>&1
 
     } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
     if [[ $GOODSETUP == '0' ]]; then
       whiptail_setup_complete
     else

From 9f0f41b1fdd4e6ee30ead157deefc502342cf423 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 31 May 2019 14:40:38 -0400
Subject: [PATCH 05/66] First attempt at writing a function to create a bond
 using nmcli

---
 so-setup-network.sh | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 487320f7f..ed1557826 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -245,6 +245,36 @@ copy_ssh_key() {
 
 }
 
+create_bond_nmcli() {
+  echo "Setting up Bond" >>~/sosetup.log 2>&1
+
+  # Set the MTU
+  if [ $NSMSETUP != 'ADVANCED' ]; then
+    MTU=1500
+  fi
+  
+  # Create the bond interface
+  nmcli con add type bond ifname bond0 con-name "bond0" \
+    bond.options "mode=0" \
+    802-3-ethernet.mtu $MTU \
+    ipv4.method "manual" \
+    connection.autoconnect "yes" \
+    >> ~/sosetup.log 2>&1
+
+  for BNIC in ${BNICS[@]}; do
+    # Strip the quotes from the NIC names
+    BONDNIC=${awk -F\" | '{print $2}' <<< $BNIC}
+    # Create the slave interface and assign it to the bond
+    nmcli con add type ethernet ifname $BONDNIC master bond0 \
+      connection.autoconnect yes \
+      802-3-ethernet.mtu $MTU \
+      con-name "bond0-slave-$BNIC" \
+      >> ~/sosetup.log 2>&1
+    # Bring the slave interface up
+    nmcli con up bond0-slave-$BNIC >> ~/sosetup.log 2>&1
+  done
+}
+
 create_bond() {
 
   # Create the bond interface

From 23300bf26099b7ff9a4f0fef221048d80a05a369 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 31 May 2019 15:03:19 -0400
Subject: [PATCH 06/66] Calling new 'create_bond_nmcli' function

---
 so-setup-network.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index ed1557826..23db2f26a 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1776,7 +1776,7 @@ if (whiptail_you_sure); then
       echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
       set_initial_firewall_policy >>~/sosetup.log 2>&1
       echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
-      create_bond >>~/sosetup.log 2>&1
+      create_bond_nmcli >>~/sosetup.log 2>&1
       echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
       sensor_pillar >>~/sosetup.log 2>&1
       echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
@@ -1866,7 +1866,7 @@ if (whiptail_you_sure); then
     {
       sleep 0.5
       echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
-      create_bond >>~/sosetup.log 2>&1
+      create_bond_nmcli >>~/sosetup.log 2>&1
       echo -e "XXX\n1\nInstalling saltstack... \nXXX"
       saltify >>~/sosetup.log 2>&1
       echo -e "XXX\n3\nInstalling docker... \nXXX"

From bad922bf77320a39b1c496a4a02c5440c6e07dda Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 31 May 2019 15:19:09 -0400
Subject: [PATCH 07/66] Fixing substitution and ipv4/ipv6 issues in nmcli bond
 function.

---
 so-setup-network.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 23db2f26a..8b6aeccc4 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -257,17 +257,20 @@ create_bond_nmcli() {
   nmcli con add type bond ifname bond0 con-name "bond0" \
     bond.options "mode=0" \
     802-3-ethernet.mtu $MTU \
-    ipv4.method "manual" \
+    ipv4.method "ignore" \
+    ipv6.method "ignore" \
     connection.autoconnect "yes" \
     >> ~/sosetup.log 2>&1
 
   for BNIC in ${BNICS[@]}; do
     # Strip the quotes from the NIC names
-    BONDNIC=${awk -F\" | '{print $2}' <<< $BNIC}
+    BONDNIC=${awk -F\" | '{print $2}' <<< !BNIC}
     # Create the slave interface and assign it to the bond
     nmcli con add type ethernet ifname $BONDNIC master bond0 \
       connection.autoconnect yes \
       802-3-ethernet.mtu $MTU \
+      ipv4.method "ignore" \
+      ipv6.method "ignore" \
       con-name "bond0-slave-$BNIC" \
       >> ~/sosetup.log 2>&1
     # Bring the slave interface up

From 21a144248e6b02272782b77e78e7388ea80b1c5d Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 31 May 2019 16:05:47 -0400
Subject: [PATCH 08/66] Fixed further issues in substitution and ipv4/v6 flags

---
 so-setup-network.sh | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 8b6aeccc4..f3c083e82 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -257,24 +257,24 @@ create_bond_nmcli() {
   nmcli con add type bond ifname bond0 con-name "bond0" \
     bond.options "mode=0" \
     802-3-ethernet.mtu $MTU \
-    ipv4.method "ignore" \
-    ipv6.method "ignore" \
+    ipv4.method "disabled" \
+    ipv6.method "disabled" \
     connection.autoconnect "yes" \
     >> ~/sosetup.log 2>&1
 
   for BNIC in ${BNICS[@]}; do
     # Strip the quotes from the NIC names
-    BONDNIC=${awk -F\" | '{print $2}' <<< !BNIC}
+    BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
     # Create the slave interface and assign it to the bond
     nmcli con add type ethernet ifname $BONDNIC master bond0 \
       connection.autoconnect yes \
       802-3-ethernet.mtu $MTU \
-      ipv4.method "ignore" \
-      ipv6.method "ignore" \
-      con-name "bond0-slave-$BNIC" \
+      ipv4.method "disabled" \
+      ipv6.method "disabled" \
+      con-name "bond0-slave-$BONDNIC" \
       >> ~/sosetup.log 2>&1
     # Bring the slave interface up
-    nmcli con up bond0-slave-$BNIC >> ~/sosetup.log 2>&1
+    nmcli con up bond0-slave-$BONDNIC >> ~/sosetup.log 2>&1
   done
 }
 

From 1b0bf5a0d34cb7fdebcafd689d48863146cf314c Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 31 May 2019 16:37:10 -0400
Subject: [PATCH 09/66] Fixed issues around ipv4/v6 flags being set incorrectly

---
 so-setup-network.sh | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index f3c083e82..f4004477f 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -258,7 +258,7 @@ create_bond_nmcli() {
     bond.options "mode=0" \
     802-3-ethernet.mtu $MTU \
     ipv4.method "disabled" \
-    ipv6.method "disabled" \
+    ipv6.method "ignore" \
     connection.autoconnect "yes" \
     >> ~/sosetup.log 2>&1
 
@@ -267,10 +267,8 @@ create_bond_nmcli() {
     BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
     # Create the slave interface and assign it to the bond
     nmcli con add type ethernet ifname $BONDNIC master bond0 \
-      connection.autoconnect yes \
+      connection.autoconnect "yes" \
       802-3-ethernet.mtu $MTU \
-      ipv4.method "disabled" \
-      ipv6.method "disabled" \
       con-name "bond0-slave-$BONDNIC" \
       >> ~/sosetup.log 2>&1
     # Bring the slave interface up

From 5630da5998bf6628ed27d68b30061a19f7dd83b9 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 6 Jun 2019 10:58:43 -0400
Subject: [PATCH 10/66] Sensoroni Master - Add Initial files

---
 salt/firewall/init.sls              |   23 +
 salt/sensoroni/files/sensoroni.conf |    1 +
 salt/sensoroni/init.sls             |   30 +
 so-setup-iso.sh                     | 2032 +++++++++++++++++++++++++++
 4 files changed, 2086 insertions(+)
 create mode 100644 salt/sensoroni/files/sensoroni.conf
 create mode 100644 salt/sensoroni/init.sls
 create mode 100644 so-setup-iso.sh

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index cfde43365..4ac7dc0c9 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -315,6 +315,17 @@ enable_forwardnode_beats_5044_{{ip}}:
     - position: 1
     - save: True
 
+enable_forwardnode_sensoroni_9822_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 9822
+    - position: 1
+    - save: True
+
 {% endfor %}
 
 {% for ip in pillar.get('storage_nodes')  %}
@@ -444,6 +455,18 @@ enable_standard_analyst_9001_{{ip}}:
     - position: 1
     - save: True
 
+# This is temporary for sensoroni testing
+enable_standard_analyst_9822_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 9822
+    - position: 1
+    - save: True
+
 {% endfor %}
 
 # Rules for storage nodes connecting to master
diff --git a/salt/sensoroni/files/sensoroni.conf b/salt/sensoroni/files/sensoroni.conf
new file mode 100644
index 000000000..7904b3cc1
--- /dev/null
+++ b/salt/sensoroni/files/sensoroni.conf
@@ -0,0 +1 @@
+# Config File if Needed
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
new file mode 100644
index 000000000..1d00dec90
--- /dev/null
+++ b/salt/sensoroni/init.sls
@@ -0,0 +1,30 @@
+sensoronidir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+sensoronisync:
+  file.recurse:
+    - name: /opt/so/conf/sensoroni
+    - source: salt://sensoroni/files
+    - user: 939
+    - group: 939
+    - template: jinja
+
+so-sensoroniimage:
+  cmd.run:
+    - name: docker pull --disable-content-trust=false soshybridhunter/so-sensoroni:HH1.1.0
+
+so-sensoroni:
+  docker_container.running:
+    - require:
+      - so-sensoroniimage
+    - image: soshybridhunter/so-sensoroni:HH1.0.8
+    - hostname: sensoroni
+    - name: so-sensoroni
+    - binds:
+      - /opt/so/conf/sensoroni:/sensoroni:rw
+    - port_bindings:
+      - 0.0.0.0:9822:9822
diff --git a/so-setup-iso.sh b/so-setup-iso.sh
new file mode 100644
index 000000000..b31e86369
--- /dev/null
+++ b/so-setup-iso.sh
@@ -0,0 +1,2032 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Global Variable Section
+HOSTNAME=$(cat /etc/hostname)
+TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'`
+NICS=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
+CPUCORES=$(cat /proc/cpuinfo | grep processor | wc -l)
+LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}')
+RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
+NODE_ES_PORT="9200"
+
+# Reset the Install Log
+date -u >~/sosetup.log 2>&1
+
+# End Global Variable Section
+
+# Functions
+
+accept_salt_key_local() {
+  echo "Accept the key locally on the master" >>~/sosetup.log 2>&1
+  # Accept the key locally on the master
+  salt-key -ya $HOSTNAME
+
+}
+
+accept_salt_key_remote() {
+  echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1
+  # Delete the key just in case.
+  ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
+  salt-call state.apply ca
+  ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y
+
+}
+
+add_master_hostfile() {
+  echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1
+  # Pop up an input to get the IP address
+  local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
+
+  # Add the master to the host file if it doesn't resolve
+  if ! grep -q $MSRVIP /etc/hosts; then
+    echo "$MSRVIP   $MSRV" >> /etc/hosts
+  fi
+}
+
+add_socore_user_master() {
+  echo "Add socore on the master" >>~/sosetup.log 2>&1
+  if [ $OS == 'centos' ]; then
+    local ADDUSER=adduser
+  else
+    local ADDUSER=useradd
+  fi
+  # Add user "socore" to the master. This will be for things like accepting keys.
+  groupadd --gid 939 socore
+  $ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore
+  # Prompt the user to set a password for the user
+  passwd socore
+
+}
+
+add_socore_user_notmaster() {
+  echo "Add socore user on non master" >>~/sosetup.log 2>&1
+  # Add socore user to the non master system. Probably not a bad idea to make system user
+  groupadd --gid 939 socore
+  $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
+
+}
+
+# Create an auth pillar so that passwords survive re-install
+auth_pillar(){
+
+  if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
+    echo "Creating Auth Pillar" >>~/sosetup.log 2>&1
+    mkdir -p /opt/so/saltstack/pillar
+    echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
+    echo "  mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
+    echo "  fleet: $FLEETPASS" >> /opt/so/saltstack/pillar/auth.sls
+  fi
+
+}
+
+# Enable Bro Logs
+bro_logs_enabled() {
+  echo "Enabling Bro Logs" >>~/sosetup.log 2>&1
+
+  echo "brologs:" > pillar/brologs.sls
+  echo "  enabled:" >> pillar/brologs.sls
+
+  if [ $MASTERADV == 'ADVANCED' ]; then
+    for BLOG in ${BLOGS[@]}; do
+      echo "    - $BLOG" | tr -d '"' >> pillar/brologs.sls
+    done
+  else
+    echo "    - conn" >> pillar/brologs.sls
+    echo "    - dce_rpc" >> pillar/brologs.sls
+    echo "    - dhcp" >> pillar/brologs.sls
+    echo "    - dhcpv6" >> pillar/brologs.sls
+    echo "    - dnp3" >> pillar/brologs.sls
+    echo "    - dns" >> pillar/brologs.sls
+    echo "    - dpd" >> pillar/brologs.sls
+    echo "    - files" >> pillar/brologs.sls
+    echo "    - ftp" >> pillar/brologs.sls
+    echo "    - http" >> pillar/brologs.sls
+    echo "    - intel" >> pillar/brologs.sls
+    echo "    - irc" >> pillar/brologs.sls
+    echo "    - kerberos" >> pillar/brologs.sls
+    echo "    - modbus" >> pillar/brologs.sls
+    echo "    - mqtt" >> pillar/brologs.sls
+    echo "    - notice" >> pillar/brologs.sls
+    echo "    - ntlm" >> pillar/brologs.sls
+    echo "    - openvpn" >> pillar/brologs.sls
+    echo "    - pe" >> pillar/brologs.sls
+    echo "    - radius" >> pillar/brologs.sls
+    echo "    - rfb" >> pillar/brologs.sls
+    echo "    - rdp" >> pillar/brologs.sls
+    echo "    - signatures" >> pillar/brologs.sls
+    echo "    - sip" >> pillar/brologs.sls
+    echo "    - smb_files" >> pillar/brologs.sls
+    echo "    - smb_mapping" >> pillar/brologs.sls
+    echo "    - smtp" >> pillar/brologs.sls
+    echo "    - snmp" >> pillar/brologs.sls
+    echo "    - software" >> pillar/brologs.sls
+    echo "    - ssh" >> pillar/brologs.sls
+    echo "    - ssl" >> pillar/brologs.sls
+    echo "    - syslog" >> pillar/brologs.sls
+    echo "    - telnet" >> pillar/brologs.sls
+    echo "    - tunnel" >> pillar/brologs.sls
+    echo "    - weird" >> pillar/brologs.sls
+    echo "    - mysql" >> pillar/brologs.sls
+    echo "    - socks" >> pillar/brologs.sls
+    echo "    - x509" >> pillar/brologs.sls
+  fi
+}
+
+calculate_useable_cores() {
+
+  # Calculate reasonable core usage
+  local CORES4BRO=$(( $CPUCORES/2 - 1 ))
+  LBPROCSROUND=$(printf "%.0f\n" $CORES4BRO)
+  # We don't want it to be 0
+  if [ "$LBPROCSROUND" -lt 1 ]; then
+    LBPROCS=1
+  else
+    LBPROCS=$LBPROCSROUND
+  fi
+
+}
+
+checkin_at_boot() {
+  echo "Enabling checkin at boot" >>~/sosetup.log 2>&1
+  echo "startup_states: highstate" >> /etc/salt/minion
+}
+
+chown_salt_master() {
+
+  echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1
+  chown -R socore:socore /opt/so
+
+}
+
+clear_master() {
+  # Clear out the old master public key in case this is a re-install.
+  # This only happens if you re-install the master.
+  if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
+    echo "Clearing old master key" >>~/sosetup.log 2>&1
+    rm /etc/salt/pki/minion/minion_master.pub
+    service salt-minion restart
+  fi
+
+}
+
+configure_minion() {
+
+  # You have to pass the TYPE to this function so it knows if its a master or not
+  local TYPE=$1
+  echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1
+  touch /etc/salt/grains
+  echo "role: so-$TYPE" > /etc/salt/grains
+  if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
+    echo "master: $HOSTNAME" > /etc/salt/minion
+    echo "id: $HOSTNAME" >> /etc/salt/minion
+    echo "mysql.host: '$MAINIP'" >> /etc/salt/minion
+    echo "mysql.port: 3306" >> /etc/salt/minion
+    echo "mysql.user: 'root'" >> /etc/salt/minion
+    if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
+      echo "mysql.pass: '$MYSQLPASS'" >> /etc/salt/minion
+    else
+      OLDPASS=$(cat /opt/so/saltstack/pillar/auth.sls | grep mysql | awk {'print $2'})
+      echo "mysql.pass: '$OLDPASS'" >> /etc/salt/minion
+    fi
+  else
+    echo "master: $MSRV" > /etc/salt/minion
+    echo "id: $HOSTNAME" >> /etc/salt/minion
+
+  fi
+
+  service salt-minion restart
+
+}
+
+copy_master_config() {
+
+  # Copy the master config template to the proper directory
+  cp files/master /etc/salt/master
+  # Restart the service so it picks up the changes -TODO Enable service on CentOS
+  service salt-master restart
+
+}
+
+copy_minion_pillar() {
+
+  # Pass the type so it knows where to copy the pillar
+  local TYPE=$1
+
+  # Copy over the pillar
+  echo "Copying the pillar over" >>~/sosetup.log 2>&1
+  scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
+
+  }
+
+copy_ssh_key() {
+
+  # Generate SSH key
+  mkdir -p /root/.ssh
+  cat /dev/zero | ssh-keygen -f /root/.ssh/so.key -t rsa -q -N ""
+  chown -R $SUDO_USER:$SUDO_USER /root/.ssh
+  #Copy the key over to the master
+  ssh-copy-id -f -i /root/.ssh/so.key socore@$MSRV
+
+}
+
+create_bond() {
+
+  # Create the bond interface
+  echo "Setting up Bond" >>~/sosetup.log 2>&1
+
+  # Set the MTU
+  if [ $NSMSETUP != 'ADVANCED' ]; then
+    MTU=1500
+  fi
+
+  # Do something different based on the OS
+  if [ $OS == 'centos' ]; then
+    modprobe --first-time bonding
+    touch /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "DEVICE=bond0" > /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "NAME=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "Type=Bond" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+    echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-bond0
+
+    # Create Bond configs for the selected monitor interface
+    for BNIC in ${BNICS[@]}; do
+      BONDNIC="${BNIC%\"}"
+      BONDNIC="${BONDNIC#\"}"
+      sed -i 's/ONBOOT=no/ONBOOT=yes/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
+      echo "MASTER=bond0" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
+      echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
+      echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
+    done
+    nmcli con reload >>~/sosetup.log 2>&1
+    systemctl restart network >>~/sosetup.log 2>&1
+
+  else
+
+    # Need to add 17.04 support still
+    apt-get -y install ifenslave >>~/sosetup.log 2>&1
+    if ! grep -q bonding /etc/modules; then
+      echo "bonding" >> /etc/modules
+    fi
+    modprobe bonding >>~/sosetup.log 2>&1
+
+    local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
+    local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
+
+    # Backup and create a new interface file
+    cp /etc/network/interfaces /etc/network/interfaces.sosetup
+    echo "source /etc/network/interfaces.d/*" > /etc/network/interfaces
+    echo "" >> /etc/network/interfaces
+
+    # Let's set up the new interface file
+    # Populate lo and create file for the management interface
+    IFS=$'\n'
+    for line in $LBACK
+    do
+      echo $line >> /etc/network/interfaces
+    done
+
+    IFS=$'\n'
+    for line in $MINT
+    do
+      echo $line >> /etc/network/interfaces.d/$MNIC
+    done
+
+    # Create entries for each interface that is part of the bond.
+    for BNIC in ${BNICS[@]}; do
+
+      BNIC=$(echo $BNIC |  cut -d\" -f2)
+      echo "auto $BNIC" >> /etc/network/interfaces.d/$BNIC
+      echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
+      echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
+      echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
+      echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
+      echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
+      echo "  bond-master bond0" >> /etc/network/interfaces.d/$BNIC
+      echo "  mtu $MTU" >> /etc/network/interfaces.d/$BNIC
+
+    done
+
+    BN=("${BNICS[@]//\"/}")
+
+    echo "auto bond0" > /etc/network/interfaces.d/bond0
+    echo "iface bond0 inet manual" >> /etc/network/interfaces.d/bond0
+    echo "  bond-mode 0" >> /etc/network/interfaces.d/bond0
+    echo "  bond-slaves $BN" >> /etc/network/interfaces.d/bond0
+    echo "  mtu $MTU" >> /etc/network/interfaces.d/bond0
+    echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
+    echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
+    echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
+    echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
+  fi
+
+}
+
+detect_os() {
+
+  # Detect Base OS
+  echo "Detecting Base OS" >>~/sosetup.log 2>&1
+  if [ -f /etc/redhat-release ]; then
+    OS=centos
+    yum -y install bind-utils
+  elif [ -f /etc/os-release ]; then
+    OS=ubuntu
+  else
+    echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1
+    exit
+  fi
+
+}
+
+docker_install() {
+
+  if [ $OS == 'centos' ]; then
+    yum clean expire-cache
+    yum -y install yum-utils device-mapper-persistent-data lvm2 openssl
+    yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
+    yum -y update
+    yum -y install docker-ce docker-python python-docker
+    docker_registry
+    echo "Restarting Docker" >>~/sosetup.log 2>&1
+    systemctl restart docker
+    systemctl enable docker
+
+  else
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+      apt-get update >>~/sosetup.log 2>&1
+      apt-get -y install docker-ce >>~/sosetup.log 2>&1
+      docker_registry >>~/sosetup.log 2>&1
+      echo "Restarting Docker" >>~/sosetup.log 2>&1
+      systemctl restart docker >>~/sosetup.log 2>&1
+    else
+      apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1
+      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1
+      apt-get update >>~/sosetup.log 2>&1
+      apt-get -y install docker-ce >>~/sosetup.log 2>&1
+      docker_registry >>~/sosetup.log 2>&1
+      echo "Restarting Docker" >>~/sosetup.log 2>&1
+      systemctl restart docker >>~/sosetup.log 2>&1
+    fi
+  fi
+
+}
+
+docker_registry() {
+
+  echo "Setting up Docker Registry" >>~/sosetup.log 2>&1
+  mkdir -p /etc/docker >>~/sosetup.log 2>&1
+  # Make the host use the master docker registry
+  echo "{" > /etc/docker/daemon.json
+  echo "  \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
+  echo "}" >> /etc/docker/daemon.json
+  echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1
+
+}
+
+es_heapsize() {
+
+  # Determine ES Heap Size
+  if [ $TOTAL_MEM -lt 8000 ] ; then
+      ES_HEAP_SIZE="600m"
+  elif [ $TOTAL_MEM -ge 100000 ]; then
+      # Set a max of 25GB for heap size
+      # https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html
+      ES_HEAP_SIZE="25000m"
+  else
+      # Set heap size to 25% of available memory
+      ES_HEAP_SIZE=$(($TOTAL_MEM / 4))"m"
+  fi
+
+}
+
+eval_mode_hostsfile() {
+
+  echo "127.0.0.1   $HOSTNAME" >> /etc/hosts
+
+}
+
+filter_nics() {
+
+  # Filter the NICs that we don't want to see in setup
+  FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
+
+}
+
+generate_passwords(){
+  # Generate Random Passwords for Things
+  MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+  FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+  HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+}
+
+get_filesystem_nsm(){
+  FSNSM=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
+}
+
+get_log_size_limit() {
+
+  DISK_DIR="/"
+  if [ -d /nsm ]; then
+    DISK_DIR="/nsm"
+  fi
+  DISK_SIZE_K=`df $DISK_DIR |grep -v "^Filesystem" | awk '{print $2}'`
+  PERCENTAGE=85
+  DISK_SIZE=DISK_SIZE_K*1000
+  PERCENTAGE_DISK_SPACE=`echo $(($DISK_SIZE*$PERCENTAGE/100))`
+  LOG_SIZE_LIMIT=$(($PERCENTAGE_DISK_SPACE/1000000000))
+
+}
+
+get_filesystem_root(){
+  FSROOT=$(df / | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
+}
+
+get_main_ip() {
+
+  # Get the main IP address the box is using
+  MAINIP=$(ip route get 1 | awk '{print $NF;exit}')
+  MAININT=$(ip route get 1 | awk '{print $5;exit}')
+
+}
+
+got_root() {
+
+  # Make sure you are root
+  if [ "$(id -u)" -ne 0 ]; then
+          echo "This script must be run using sudo!"
+          exit 1
+  fi
+
+}
+
+install_cleanup() {
+
+  # Clean up after ourselves
+  rm -rf /root/installtmp
+
+}
+
+install_prep() {
+
+  # Create a tmp space that isn't in /tmp
+  mkdir /root/installtmp
+  TMP=/root/installtmp
+
+}
+
+install_master() {
+
+  # Install the salt master package
+  if [ $OS == 'centos' ]; then
+    yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1
+
+    # Create a place for the keys for Ubuntu minions
+    mkdir -p /opt/so/gpg
+    wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
+    wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
+    wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
+
+  else
+    apt-get install -y salt-common=2018.3.4+ds-1 salt-master=2018.3.4+ds-1 salt-minion=2018.3.4+ds-1 python-m2crypto
+    apt-mark hold salt-common salt-master salt-minion
+    apt-get install -y python-m2crypto
+  fi
+
+  copy_master_config
+
+}
+
+ls_heapsize() {
+
+  # Determine LS Heap Size
+  if [ $TOTAL_MEM -ge 16000 ] ; then
+      LS_HEAP_SIZE="4192m"
+  else
+      # Set a max of 1GB heap if you have less than 16GB RAM
+      LS_HEAP_SIZE="2g"
+  fi
+
+}
+
+master_pillar() {
+
+  # Create the master pillar
+  touch /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "master:" > /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  mainip: $MAINIP" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  mainint: $MAININT" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  esheap: $ES_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  esclustername: {{ grains.host }}" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  if [ $INSTALLTYPE == 'EVALMODE' ]; then
+    echo "  freq: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+    echo "  domainstats: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+    echo "  ls_pipeline_batch_size: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+    echo "  ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+    echo "  ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+    echo "  mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+
+  else
+    echo "  freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+    echo "  domainstats: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  fi
+  echo "  lsheap: $LS_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  lsaccessip: 127.0.0.1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  elastalert: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  nids_rules: $RULESETUP" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  oinkcode: $OINKCODE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  #echo "  access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  #echo "  access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  es_port: $NODE_ES_PORT" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  #echo "  mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  #echo "  fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  echo "  thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
+  }
+
+master_static() {
+
+  # Create a static file for global values
+  touch /opt/so/saltstack/pillar/static.sls
+
+  echo "static:" > /opt/so/saltstack/pillar/static.sls
+  echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
+  echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
+  echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
+  echo "  broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls
+  echo "  ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls
+  echo "  masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
+  echo "  hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
+  echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
+  if [[ $MASTERUPDATES == 'MASTER' ]]; then
+    echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
+  else
+    echo "  masterupdate: 0" >> /opt/so/saltstack/pillar/static.sls
+  fi
+}
+
+minio_generate_keys() {
+
+  local charSet="[:graph:]"
+
+  ACCESS_KEY=$(cat /dev/urandom | tr -cd "$charSet" | tr -d \' | tr -d \" | head -c 20)
+  ACCESS_SECRET=$(cat /dev/urandom | tr -cd "$charSet" | tr -d \' | tr -d \" | head -c 40)
+
+}
+
+node_pillar() {
+
+  # Create the node pillar
+  touch $TMP/$HOSTNAME.sls
+  echo "node:" > $TMP/$HOSTNAME.sls
+  echo "  mainip: $MAINIP" >> $TMP/$HOSTNAME.sls
+  echo "  mainint: $MAININT" >> $TMP/$HOSTNAME.sls
+  echo "  esheap: $NODE_ES_HEAP_SIZE" >> $TMP/$HOSTNAME.sls
+  echo "  esclustername: {{ grains.host }}" >> $TMP/$HOSTNAME.sls
+  echo "  lsheap: $NODE_LS_HEAP_SIZE" >> $TMP/$HOSTNAME.sls
+  echo "  ls_pipeline_workers: $LSPIPELINEWORKERS" >> $TMP/$HOSTNAME.sls
+  echo "  ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $TMP/$HOSTNAME.sls
+  echo "  ls_input_threads: $LSINPUTTHREADS" >> $TMP/$HOSTNAME.sls
+  echo "  ls_batch_count: $LSINPUTBATCHCOUNT" >> $TMP/$HOSTNAME.sls
+  echo "  es_shard_count: $SHARDCOUNT" >> $TMP/$HOSTNAME.sls
+  echo "  node_type: $NODETYPE" >> $TMP/$HOSTNAME.sls
+  echo "  es_port: $NODE_ES_PORT" >> $TMP/$HOSTNAME.sls
+  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> $TMP/$HOSTNAME.sls
+  echo "  cur_close_days: $CURCLOSEDAYS" >> $TMP/$HOSTNAME.sls
+
+}
+
+process_components() {
+  CLEAN=${COMPONENTS//\"}
+  GRAFANA=0
+  OSQUERY=0
+  WAZUH=0
+  THEHIVE=0
+
+  IFS=$' '
+  for item in $(echo "$CLEAN"); do
+	  let $item=1
+  done
+  unset IFS
+}
+
+saltify() {
+
+  # Install updates and Salt
+  if [ $OS == 'centos' ]; then
+    ADDUSER=adduser
+
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+      yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
+      cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2018-3.repo
+      sed -i 's/latest/2018.3/g' /etc/yum.repos.d/salt-2018-3.repo
+      cat > /etc/yum.repos.d/wazuh.repo <<\EOF
+[wazuh_repo]
+gpgcheck=1
+gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://packages.wazuh.com/3.x/yum/
+protect=1
+EOF
+
+    else
+
+      if [ $MASTERUPDATES == 'MASTER' ]; then
+
+        # Create the GPG Public Key for the Salt Repo
+        echo "-----BEGIN PGP PUBLIC KEY BLOCK-----" > /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "Version: GnuPG v2.0.22 (GNU/Linux)" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "MA==" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "=dtMN" >> /etc/pki/rpm-gpg/saltstack-signing-key
+        echo "-----END PGP PUBLIC KEY BLOCK-----" >> /etc/pki/rpm-gpg/saltstack-signing-key
+
+        # Add the Wazuh Key
+        cat > /etc/pki/rpm-gpg/GPG-KEY-WAZUH <<\EOF
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFeeyYwBEACyf4VwV8c2++J5BmCl6ofLCtSIW3UoVrF4F+P19k/0ngnSfjWb
+8pSWB11HjZ3Mr4YQeiD7yY06UZkrCXk+KXDlUjMK3VOY7oNPkqzNaP6+8bDwj4UA
+hADMkaXBvWooGizhCoBtDb1bSbHKcAnQ3PTdiuaqF5bcyKk8hv939CHulL2xH+BP
+mmTBi+PM83pwvR+VRTOT7QSzf29lW1jD79v4rtXHJs4KCz/amT/nUm/tBpv3q0sT
+9M9rH7MTQPdqvzMl122JcZST75GzFJFl0XdSHd5PAh2mV8qYak5NYNnwA41UQVIa
++xqhSu44liSeZWUfRdhrQ/Nb01KV8lLAs11Sz787xkdF4ad25V/Rtg/s4UXt35K3
+klGOBwDnzPgHK/OK2PescI5Ve1z4x1C2bkGze+gk/3IcfGJwKZDfKzTtqkZ0MgpN
+7RGghjkH4wpFmuswFFZRyV+s7jXYpxAesElDSmPJ0O07O4lQXQMROE+a2OCcm0eF
+3+Cr6qxGtOp1oYMOVH0vOLYTpwOkAM12/qm7/fYuVPBQtVpTojjV5GDl2uGq7p0o
+h9hyWnLeNRbAha0px6rXcF9wLwU5n7mH75mq5clps3sP1q1/VtP/Fr84Lm7OGke4
+9eD+tPNCdRx78RNWzhkdQxHk/b22LCn1v6p1Q0qBco9vw6eawEkz1qwAjQARAQAB
+tDFXYXp1aC5jb20gKFdhenVoIFNpZ25pbmcgS2V5KSA8c3VwcG9ydEB3YXp1aC5j
+b20+iQI9BBMBCAAnBQJXnsmMAhsDBQkFo5qABQsJCAcDBRUKCQgLBRYCAwEAAh4B
+AheAAAoJEJaz7l8pERFFHEsQAIaslejcW2NgjgOZuvn1Bht4JFMbCIPOekg4Z5yF
+binRz0wmA7JNaawDHTBYa6L+A2Xneu/LmuRjFRMesqopUukVeGQgHBXbGMzY46eI
+rqq/xgvgWzHSbWweiOX0nn+exbEAM5IyW+efkWNz0e8xM1LcxdYZxkVOqFqkp3Wv
+J9QUKw6z9ifUOx++G8UO307O3hT2f+x4MUoGZeOF4q1fNy/VyBS2lMg2HF7GWy2y
+kjbSe0p2VOFGEZLuu2f5tpPNth9UJiTliZKmgSk/zbKYmSjiVY2eDqNJ4qjuqes0
+vhpUaBjA+DgkEWUrUVXG5yfQDzTiYIF84LknjSJBYSLZ4ABsMjNO+GApiFPcih+B
+Xc9Kx7E9RNsNTDqvx40y+xmxDOzVIssXeKqwO8r5IdG3K7dkt2Vkc/7oHOpcKwE5
+8uASMPiqqMo+t1RVa6Spckp3Zz8REILbotnnVwDIwo2HmgASirMGUcttEJzubaIa
+Mv43GKs8RUH9s5NenC02lfZG7D8WQCz5ZH7yEWrt5bCaQRNDXjhsYE17SZ/ToHi3
+OpWu050ECWOHdxlXNG3dOWIdFDdBJM7UfUNSSOe2Y5RLsWfwvMFGbfpdlgJcMSDV
+X+ienkrtXhBteTu0dwPu6HZTFOjSftvtAo0VIqGQrKMvKelkkdNGdDFLQw2mUDcw
+EQj6uQINBFeeyYwBEADD1Y3zW5OrnYZ6ghTd5PXDAMB8Z1ienmnb2IUzLM+i0yE2
+TpKSP/XYCTBhFa390rYgFO2lbLDVsiz7Txd94nHrdWXGEQfwrbxsvdlLLWk7iN8l
+Fb4B60OfRi3yoR96a/kIPNa0x26+n79LtDuWZ/DTq5JSHztdd9F1sr3h8i5zYmtv
+luj99ZorpwYejbBVUm0+gP0ioaXM37uO56UFVQk3po9GaS+GtLnlgoE5volgNYyO
+rkeIua4uZVsifREkHCKoLJip6P7S3kTyfrpiSLhouEZ7kV1lbMbFgvHXyjm+/AIx
+HIBy+H+e+HNt5gZzTKUJsuBjx44+4jYsOR67EjOdtPOpgiuJXhedzShEO6rbu/O4
+wM1rX45ZXDYa2FGblHCQ/VaS0ttFtztk91xwlWvjTR8vGvp5tIfCi+1GixPRQpbN
+Y/oq8Kv4A7vB3JlJscJCljvRgaX0gTBzlaF6Gq0FdcWEl5F1zvsWCSc/Fv5WrUPY
+5mG0m69YUTeVO6cZS1aiu9Qh3QAT/7NbUuGXIaAxKnu+kkjLSz+nTTlOyvbG7BVF
+a6sDmv48Wqicebkc/rCtO4g8lO7KoA2xC/K/6PAxDrLkVyw8WPsAendmezNfHU+V
+32pvWoQoQqu8ysoaEYc/j9fN4H3mEBCN3QUJYCugmHP0pu7VtpWwwMUqcGeUVwAR
+AQABiQIlBBgBCAAPBQJXnsmMAhsMBQkFo5qAAAoJEJaz7l8pERFFz8IP/jfBxJSB
+iOw+uML+C4aeYxuHSdxmSsrJclYjkw7Asha/fm4Kkve00YAW8TGxwH2kgS72ooNJ
+1Q7hUxNbVyrJjQDSMkRKwghmrPnUM3UyHmE0dq+G2NhaPdFo8rKifLOPgwaWAfSV
+wgMTK86o0kqRbGpXgVIG5eRwv2FcxM3xGfy7sub07J2VEz7Ba6rYQ3NTbPK42AtV
++wRJDXcgS7y6ios4XQtSbIB5f6GI56zVlwfRd3hovV9ZAIJQ6DKM31wD6Kt/pRun
+DjwMZu0/82JMoqmxX/00sNdDT1S13guCfl1WhBu7y1ja9MUX5OpUzyEKg5sxme+L
+iY2Rhs6CjmbTm8ER4Uj8ydKyVTy8zbumbB6T8IwCAbEMtPxm6pKh/tgLpoJ+Bj0y
+AsGjmhV7R6PKZSDXg7/qQI98iC6DtWc9ibC/QuHLcvm3hz40mBgXAemPJygpxGst
+mVtU7O3oHw9cIUpkbMuVqSxgPFmSSq5vEYkka1CYeg8bOz6aCTuO5J0GDlLrpjtx
+6lyImbZAF/8zKnW19aq5lshT2qJlTQlZRwwDZX5rONhA6T8IEUnUyD4rAIQFwfJ+
+gsXa4ojD/tA9NLdiNeyEcNfyX3FZwXWCtVLXflzdRN293FKamcdnMjVRjkCnp7iu
+7eO7nMgcRoWddeU+2aJFqCoQtKCp/5EKhFey
+=UIVm
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+
+        # Proxy is hating on me.. Lets just set it manually
+        echo "[salt-latest]" > /etc/yum.repos.d/salt-latest.repo
+        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-latest.repo
+        echo "baseurl=https://repo.saltstack.com/yum/redhat/7/\$basearch/latest" >> /etc/yum.repos.d/salt-latest.repo
+        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-latest.repo
+        echo "enabled=1" >> /etc/yum.repos.d/salt-latest.repo
+        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-latest.repo
+        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-latest.repo
+
+        # Proxy is hating on me.. Lets just set it manually
+        echo "[salt-2018.3]" > /etc/yum.repos.d/salt-2018-3.repo
+        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "baseurl=https://repo.saltstack.com/yum/redhat/7/\$basearch/2018.3" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "enabled=1" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-2018-3.repo
+        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-2018-3.repo
+
+        cat > /etc/yum.repos.d/wazuh.repo <<\EOF
+[wazuh_repo]
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://packages.wazuh.com/3.x/yum/
+protect=1
+EOF
+      else
+        yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
+        cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2018-3.repo
+        sed -i 's/latest/2018.3/g' /etc/yum.repos.d/salt-2018-3.repo
+cat > /etc/yum.repos.d/wazuh.repo <<\EOF
+[wazuh_repo]
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://packages.wazuh.com/3.x/yum/
+protect=1
+EOF
+      fi
+    fi
+
+    yum clean expire-cache
+    yum -y install salt-minion-2018.3.4 yum-utils device-mapper-persistent-data lvm2 openssl
+    yum -y update exclude=salt*
+    systemctl enable salt-minion
+
+    # Nasty hack but required for now
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+      yum -y install salt-master-2018.3.4 python-m2crypto salt-minion-2018.3.4 m2crypto
+      systemctl enable salt-master
+    else
+      yum -y install salt-minion-2018.3.4 python-m2m2crypto m2crypto
+    fi
+    echo "exclude=salt*" >> /etc/yum.conf
+
+  else
+    ADDUSER=useradd
+    DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
+
+    # Add the pre-requisites for installing docker-ce
+    apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >>~/sosetup.log 2>&1
+
+    # Grab the version from the os-release file
+    UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
+
+    # Nasty hack but required for now
+    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+
+      # Install the repo for salt
+      wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
+      wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2018.3/SALTSTACK-GPG-KEY.pub | apt-key add -
+      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
+      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2018.3 xenial main" > /etc/apt/sources.list.d/saltstack2018.list
+
+      # Lets get the docker repo added
+      curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+
+      # Create a place for the keys
+      mkdir -p /opt/so/gpg
+      wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub
+      wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
+      wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
+
+      # Get key and install wazuh
+      curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+      # Add repo
+      echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
+
+      # Initialize the new repos
+      apt-get update >>~/sosetup.log 2>&1
+      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
+      apt-mark hold salt-minion salt-common
+
+    else
+
+      # Copy down the gpg keys and install them from the master
+      mkdir $TMP/gpg
+      scp socore@$MSRV:/opt/so/gpg/* $TMP/gpg
+      apt-key add $TMP/gpg/SALTSTACK-GPG-KEY.pub
+      apt-key add $TMP/gpg/GPG-KEY-WAZUH
+      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
+      echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
+      # Initialize the new repos
+      apt-get update >>~/sosetup.log 2>&1
+      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
+      apt-mark hold salt-minion salt-common
+
+    fi
+
+  fi
+
+}
+
+salt_checkin() {
+  # Master State to Fix Mine Usage
+  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+  echo "Building Certificate Authority"
+  salt-call state.apply ca >>~/sosetup.log 2>&1
+  echo " *** Restarting Salt to fix any SSL errors. ***"
+  service salt-master restart >>~/sosetup.log 2>&1
+  sleep 5
+  service salt-minion restart >>~/sosetup.log 2>&1
+  sleep 15
+  echo " Applyng a mine hack "
+  sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1
+  echo " Applying SSL state "
+  salt-call state.apply ssl >>~/sosetup.log 2>&1
+  echo "Still Working... Hang in there"
+  #salt-call state.highstate
+
+  else
+
+  # Run Checkin
+  salt-call state.apply ca >>~/sosetup.log 2>&1
+  salt-call state.apply ssl >>~/sosetup.log 2>&1
+  #salt-call state.highstate >>~/sosetup.log 2>&1
+
+  fi
+
+}
+
+salt_checkin_message() {
+
+  # Warn the user that this might take a while
+  echo "####################################################"
+  echo "##                                                ##"
+  echo "##        Applying and Installing everything      ##"
+  echo "##             (This will take a while)           ##"
+  echo "##                                                ##"
+  echo "####################################################"
+
+}
+
+salt_firstcheckin() {
+
+  #First Checkin
+  salt-call state.highstate >>~/sosetup.log 2>&1
+
+}
+
+salt_master_directories() {
+
+  # Create salt paster directories
+  mkdir -p /opt/so/saltstack/salt
+  mkdir -p /opt/so/saltstack/pillar
+
+  # Copy over the salt code and templates
+  cp -R pillar/* /opt/so/saltstack/pillar/
+  chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh
+  chmod +x /opt/so/saltstack/pillar/data/addtotab.sh
+  cp -R salt/* /opt/so/saltstack/salt/
+
+}
+
+sensor_pillar() {
+
+  # Create the sensor pillar
+  touch $TMP/$HOSTNAME.sls
+  echo "sensor:" > $TMP/$HOSTNAME.sls
+  echo "  interface: bond0" >> $TMP/$HOSTNAME.sls
+  echo "  mainip: $MAINIP" >> $TMP/$HOSTNAME.sls
+  echo "  mainint: $MAININT" >> $TMP/$HOSTNAME.sls
+  if [ $NSMSETUP == 'ADVANCED' ]; then
+    echo "  bro_pins:" >> $TMP/$HOSTNAME.sls
+    for PIN in $BROPINS; do
+      PIN=$(echo $PIN |  cut -d\" -f2)
+    echo "    - $PIN" >> $TMP/$HOSTNAME.sls
+    done
+    echo "  suripins:" >> $TMP/$HOSTNAME.sls
+    for SPIN in $SURIPINS; do
+      SPIN=$(echo $SPIN |  cut -d\" -f2)
+    echo "    - $SPIN" >> $TMP/$HOSTNAME.sls
+    done
+  else
+    echo "  bro_lbprocs: $BASICBRO" >> $TMP/$HOSTNAME.sls
+    echo "  suriprocs: $BASICSURI" >> $TMP/$HOSTNAME.sls
+  fi
+  echo "  brobpf:" >> $TMP/$HOSTNAME.sls
+  echo "  pcapbpf:" >> $TMP/$HOSTNAME.sls
+  echo "  nidsbpf:" >> $TMP/$HOSTNAME.sls
+  echo "  master: $MSRV" >> $TMP/$HOSTNAME.sls
+  echo "  mtu: $MTU" >> $TMP/$HOSTNAME.sls
+  if [ $HNSENSOR != 'inherit' ]; then
+  echo "  hnsensor: $HNSENSOR" >> $TMP/$HOSTNAME.sls
+  fi
+  echo "  access_key: $ACCESS_KEY" >> $TMP/$HOSTNAME.sls
+  echo "  access_secret: $ACCESS_SECRET" >>  $TMP/$HOSTNAME.sls
+
+}
+
+set_initial_firewall_policy() {
+
+  get_main_ip
+  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
+    /opt/so/saltstack/pillar/data/addtotab.sh mastertab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+  fi
+
+  if [ $INSTALLTYPE == 'EVALMODE' ]; then
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/storage_nodes.sls
+    /opt/so/saltstack/pillar/data/addtotab.sh evaltab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+  fi
+
+  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
+  fi
+
+  if [ $INSTALLTYPE == 'STORAGENODE' ]; then
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh storage_nodes $MAINIP
+    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
+  fi
+
+  if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
+    echo "blah"
+  fi
+
+  if [ $INSTALLTYPE == 'HOTNODE' ]; then
+    echo "blah"
+  fi
+
+  if [ $INSTALLTYPE == 'WARMNODE' ]; then
+    echo "blah"
+  fi
+
+}
+
+set_node_type() {
+
+  # Determine the node type based on whiplash choice
+  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
+    NODETYPE='storage'
+  fi
+  if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
+    NODETYPE='parser'
+  fi
+  if [ $INSTALLTYPE == 'HOTNODE' ]; then
+    NODETYPE='hot'
+  fi
+  if [ $INSTALLTYPE == 'WARMNODE' ]; then
+    NODETYPE='warm'
+  fi
+
+}
+
+set_updates() {
+  echo "MASTERUPDATES is $MASTERUPDATES"
+  if [ $MASTERUPDATES == 'MASTER' ]; then
+    if [ $OS == 'centos' ]; then
+      if ! grep -q $MSRV /etc/yum.conf; then
+      echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
+    fi
+
+    else
+
+    # Set it up so the updates roll through the master
+    echo "Acquire::http::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy
+    echo "Acquire::https::Proxy \"http://$MSRV:3142\";" >> /etc/apt/apt.conf.d/00Proxy
+
+  fi
+    fi
+}
+
+update_sudoers() {
+
+  if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
+    # Update Sudoers so that socore can accept keys without a password
+    echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers
+    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | sudo tee -a /etc/sudoers
+    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | sudo tee -a /etc/sudoers
+  else
+    echo "User socore already granted sudo privileges"
+  fi
+
+}
+
+###########################################
+##                                       ##
+##         Whiptail Menu Section         ##
+##                                       ##
+###########################################
+
+whiptail_basic_bro() {
+
+  BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter the number of bro processes:" 10 60 $LBPROCS 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_basic_suri() {
+
+  BASICSURI=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter the number of Suricata Processes:" 10 60 $LBPROCS 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_bro_pins() {
+
+  BROPINS=$(whiptail --noitem --title "Pin Bro CPUS" --checklist "Please Select $LBPROCS cores to pin Bro to:" 20 78 12 ${LISTCORES[@]} 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+
+}
+
+whiptail_bro_version() {
+
+  BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 78 4 "ZEEK" "Install Zeek (aka Bro)"  ON \
+  "COMMUNITY" "Install Community NSM" OFF "SURICATA" "SUPER EXPERIMENTAL" OFF 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_bond_nics() {
+
+  BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
+
+  while [ -z "$BNICS" ]
+  do
+    BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
+  done
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_bond_nics_mtu() {
+
+  # Set the MTU on the monitor interface
+  MTU=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter the MTU for the monitor NICs" 10 60 1500 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_cancel() {
+
+  whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 78
+  install_cleanup
+  exit
+
+}
+
+whiptail_check_exitstatus() {
+
+  if [ $1 == '1' ]; then
+    echo "They hit cancel"
+    whiptail_cancel
+  fi
+
+}
+
+whiptail_cur_close_days() {
+
+  CURCLOSEDAYS=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Please specify the threshold (in days) at which Elasticsearch indices will be closed" 10 60 $CURCLOSEDAYS 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+whiptail_enable_components() {
+  COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
+  "Select Components to install" 20 78 8 \
+  "GRAFANA" "Enable Grafana for system monitoring" ON \
+  "OSQUERY" "Enable Fleet with osquery" ON \
+  "WAZUH" "Enable Wazuh" ON \
+  "THEHIVE" "Enable TheHive" ON 3>&1 1>&2 2>&3 )
+}
+
+whiptail_eval_adv() {
+  EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
+  "Choose your eval install:" 20 78 4 \
+  "BASIC" "Install basic components for evaluation" ON  \
+  "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
+}
+
+whiptail_eval_adv_warning() {
+  whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78
+}
+
+whiptail_homenet_master() {
+
+  # Ask for the HOME_NET on the master
+  HNMASTER=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_homenet_sensor() {
+
+  # Ask to inherit from master
+  whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Master?" 8 78
+
+  local exitstatus=$?
+  if [ $exitstatus == 0 ]; then
+    HNSENSOR=inherit
+  else
+    HNSENSOR=$(whiptail --title "Security Onion Setup" --inputbox \
+    "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)
+  fi
+
+}
+
+whiptail_install_type() {
+
+  # What kind of install are we doing?
+  INSTALLTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
+  "Choose Install Type:" 20 78 14 \
+  "SENSORONLY" "Create a forward only sensor" ON \
+  "STORAGENODE" "Add a Storage Hot Node with parsing" OFF \
+  "MASTERONLY" "Start a new grid" OFF \
+  "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
+  "HOTNODE" "TODO Add a Hot Node (Storage Node without Parsing)" OFF \
+  "WARMNODE" "TODO Add a Warm Node to an existing Hot or Storage node" OFF \
+  "EVALMODE" "Evaluate all the things" OFF \
+  "WAZUH" "TODO Stand Alone Wazuh Node" OFF \
+  "STRELKA" "TODO Stand Alone Strelka Node" OFF \
+  "FLEET" "TODO Stand Alone Fleet OSQuery Node" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_log_size_limit() {
+
+   LOG_SIZE_LIMIT=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage. \
+  By default, this is set to 85% of the disk space allotted for /nsm." 10 60 $LOG_SIZE_LIMIT 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+
+whiptail_management_nic() {
+
+  MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
+
+  while [ -z "$MNIC" ]
+  do
+    MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
+  done
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_nids() {
+
+  NIDS=$(whiptail --title "Security Onion Setup" --radiolist \
+  "Choose which IDS to run:" 20 78 4 \
+  "Suricata" "Suricata 4.X" ON  \
+  "Snort" "Snort 3.0 Beta" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_oinkcode() {
+
+  OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your oinkcode" 10 60 XXXXXXX 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_make_changes() {
+
+  whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $INSTALLTYPE. Please hit YES to make changes or NO to cancel." 8 78
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_management_server() {
+
+  MSRV=$(whiptail --title "Security Onion Setup" --inputbox \
+  "Enter your Master Server HOSTNAME. It is CASE SENSITIVE!" 10 60 XXXX 3>&1 1>&2 2>&3)
+
+  # See if it resolves. Otherwise prompt to add to host file
+  TESTHOST=$(host $MSRV)
+
+  if [[ $TESTHOST = *"not found"* ]]; then
+    add_master_hostfile
+  fi
+
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+# Ask if you want to do advanced setup of the Master
+whiptail_master_adv() {
+  MASTERADV=$(whiptail --title "Security Onion Setup" --radiolist \
+  "Choose what type of master install:" 20 78 4 \
+  "BASIC" "Install master with recommended settings" ON  \
+  "ADVANCED" "Do additional configuration to the master" OFF 3>&1 1>&2 2>&3 )
+}
+
+# Ask which additional components to install
+whiptail_master_adv_service_brologs() {
+
+  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
+  "conn" "Connection Logging" ON \
+  "dce_rpc" "RPC Logs" ON \
+  "dhcp" "DHCP Logs" ON \
+  "dhcpv6" "DHCP IPv6 Logs" ON \
+  "dnp3" "DNP3 Logs" ON \
+  "dns" "DNS Logs" ON \
+  "dpd" "DPD Logs" ON \
+  "files" "Files Logs" ON \
+  "ftp" "FTP Logs" ON \
+  "http" "HTTP Logs" ON \
+  "intel" "Intel Hits Logs" ON \
+  "irc" "IRC Chat Logs" ON \
+  "kerberos" "Kerberos Logs" ON \
+  "modbus" "MODBUS Logs" ON \
+  "mqtt" "MQTT Logs" ON \
+  "notice" "Zeek Notice Logs" ON \
+  "ntlm" "NTLM Logs" ON \
+  "openvpn" "OPENVPN Logs" ON \
+  "pe" "PE Logs" ON \
+  "radius" "Radius Logs" ON \
+  "rfb" "RFB Logs" ON \
+  "rdp" "RDP Logs" ON \
+  "signatures" "Signatures Logs" ON \
+  "sip" "SIP Logs" ON \
+  "smb_files" "SMB Files Logs" ON \
+  "smb_mapping" "SMB Mapping Logs" ON \
+  "smtp" "SMTP Logs" ON \
+  "snmp" "SNMP Logs" ON \
+  "software" "Software Logs" ON \
+  "ssh" "SSH Logs" ON \
+  "ssl" "SSL Logs" ON \
+  "syslog" "Syslog Logs" ON \
+  "telnet" "Telnet Logs" ON \
+  "tunnel" "Tunnel Logs" ON \
+  "weird" "Zeek Weird Logs" ON \
+  "mysql" "MySQL Logs" ON \
+  "socks" "SOCKS Logs" ON \
+  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
+}
+
+whiptail_network_notice() {
+
+  whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_advanced() {
+
+  NODESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
+  "What type of config would you like to use?:" 20 78 4 \
+  "NODEBASIC" "Install Storage Node with recommended settings" ON \
+  "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_es_heap() {
+
+  es_heapsize
+  NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
+  "\nEnter ES Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $ES_HEAP_SIZE 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_ls_heap() {
+
+  ls_heapsize
+  NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
+  "\nEnter LogStash Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $LS_HEAP_SIZE 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_ls_pipeline_worker() {
+
+  LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \
+  "\nEnter LogStash Pipeline Workers: \n \n(Recommended value is pre-populated)" 10 60 $CPUCORES 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_ls_pipline_batchsize() {
+
+  LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \
+  "\nEnter LogStash Pipeline Batch Size: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_ls_input_threads() {
+
+  LSINPUTTHREADS=$(whiptail --title "Security Onion Setup" --inputbox \
+    "\nEnter LogStash Input Threads: \n \n(Default value is pre-populated)" 10 60 1 3>&1 1>&2 2>&3)
+
+    local exitstatus=$?
+    whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_ls_input_batch_count() {
+
+  LSINPUTBATCHCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
+  "\nEnter LogStash Input Batch Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_rule_setup() {
+
+  # Get pulled pork info
+  RULESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
+  "What IDS rules to use?:" 20 140 4 \
+  "ETOPEN" "Emerging Threats Open - no oinkcode required" ON \
+  "ETPRO" "Emerging Threats PRO - requires ETPRO oinkcode" OFF \
+  "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset - requires Snort Subscriber oinkcode" OFF \
+  "TALOS" "Snort Subscriber (Talos) ruleset only and set a Snort Subscriber policy - requires Snort Subscriber oinkcode" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_sensor_config() {
+
+  NSMSETUP=$(whiptail --title "Security Onion Setup" --radiolist \
+  "What type of configuration would you like to use?:" 20 78 4 \
+  "BASIC" "Install NSM components with recommended settings" ON \
+  "ADVANCED" "Configure each component individually" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_setup_complete() {
+
+  whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78
+  install_cleanup
+  exit
+
+}
+
+whiptail_setup_failed() {
+
+  whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78
+  install_cleanup
+  exit
+
+}
+
+whiptail_shard_count() {
+
+  SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
+  "\nEnter ES Shard Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_suricata_pins() {
+
+  FILTEREDCORES=$(echo ${LISTCORES[@]} ${BROPINS[@]} | tr -d '"' | tr ' ' '\n' | sort | uniq -u | awk '{print $1 " \"" "core" "\""}')
+  SURIPINS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_master_updates() {
+
+  MASTERUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \
+  "How would you like to download updates for your grid?:" 20 78 4 \
+  "MASTER" "Have the master node act as a proxy for OS/Docker updates." ON \
+  "OPEN" "Have each node connect to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_node_updates() {
+
+  NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \
+  "How would you like to download updates for this node?:" 20 78 4 \
+  "MASTER" "Download OS/Docker updates from the Master." ON \
+  "OPEN" "Download updates directly from the Internet" OFF 3>&1 1>&2 2>&3 )
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_you_sure() {
+
+  whiptail --title "Security Onion Setup" --yesno "Are you sure you want to install Security Onion over the internet?" 8 78
+
+}
+
+########################
+##                    ##
+##   End Functions    ##
+##                    ##
+########################
+
+#####################
+##                 ##
+##    Let's Go!    ##
+##                 ##
+#####################
+
+# Check for prerequisites
+got_root
+detect_os
+
+if [ $OS == ubuntu ]; then
+  # Override the horrible Ubuntu whiptail color pallete
+  update-alternatives --set newt-palette /etc/newt/palette.original
+fi
+
+# Question Time
+if (whiptail_you_sure); then
+
+  # Create a temp dir to get started
+  install_prep
+
+  # Let folks know they need their management interface already set up.
+  whiptail_network_notice
+
+  # Go ahead and gen the keys so we can use them for any sensor type - Disabled for now
+  #minio_generate_keys
+
+  # What kind of install are we doing?
+  whiptail_install_type
+
+  ####################
+  ##     Master     ##
+  ####################
+
+  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
+
+    # Would you like to do an advanced install?
+    whiptail_master_adv
+
+    # Pick the Management NIC
+    whiptail_management_nic
+
+    # Choose Zeek or Community NSM
+    whiptail_bro_version
+
+    # Select Snort or Suricata
+    whiptail_nids
+
+    # Snag the HOME_NET
+    whiptail_homenet_master
+
+    # Pick your Ruleset
+    whiptail_rule_setup
+
+    # Get the code if it isn't ET Open
+    if [ $RULESETUP != 'ETOPEN' ]; then
+      # Get the code
+      whiptail_oinkcode
+    fi
+
+    # Find out how to handle updates
+    whiptail_master_updates
+    whiptail_enable_components
+    process_components
+
+    # Do Advacned Setup if they chose it
+    if [ $MASTERADV == 'ADVANCED' ]; then
+      # Ask which bro logs to enable - Need to add Suricata check
+      if [ $BROVERSION != 'SURICATA' ]; then
+        whiptail_master_adv_service_brologs
+      fi
+    fi
+
+    # Last Chance to back out
+    whiptail_make_changes
+    generate_passwords
+    auth_pillar
+    clear_master
+    mkdir -p /nsm
+    get_filesystem_root
+    get_filesystem_nsm
+    # Enable Bro Logs
+    bro_logs_enabled
+
+    # Figure out the main IP address
+    get_main_ip
+
+    # Add the user so we can sit back and relax
+    echo ""
+    echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
+    echo ""
+    add_socore_user_master
+
+    # Install salt and dependencies
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
+      echo " ** Installing Salt and Dependencies **" >>~/sosetup.log
+      saltify >>~/sosetup.log 2>&1
+      echo -e "XXX\n5\nInstalling Docker... \nXXX"
+      docker_install >>~/sosetup.log 2>&1
+      echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
+      echo " ** Configuring Minion **" >>~/sosetup.log
+      configure_minion master >>~/sosetup.log 2>&1
+      echo " ** Installing Salt Master **" >>~/sosetup.log
+      install_master >>~/sosetup.log 2>&1
+      salt_master_directories >>~/sosetup.log 2>&1
+      update_sudoers >>~/sosetup.log 2>&1
+      chown_salt_master >>~/sosetup.log 2>&1
+      es_heapsize >>~/sosetup.log 2>&1
+      ls_heapsize >>~/sosetup.log 2>&1
+      echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
+      master_static >>~/sosetup.log 2>&1
+      echo "** Generating the master pillar **" >>~/sosetup.log
+      master_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
+      # Do a checkin to push the key up
+      echo "** Pushing the key up to Master **" >>~/sosetup.log
+      salt_firstcheckin >>~/sosetup.log 2>&1
+      # Accept the Master Key
+      echo "** Accepting the key on the master **" >>~/sosetup.log
+      accept_salt_key_local >>~/sosetup.log 2>&1
+      echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
+      # Open the firewall
+      echo "** Setting the initial firewall policy **" >>~/sosetup.log
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      # Do the big checkin but first let them know it will take a bit.
+      echo -e "XXX\n40\nGenerating CA... \nXXX"
+      salt_checkin >>~/sosetup.log 2>&1
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n43\nInstalling Common Components... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      echo -e "XXX\n45\nApplying firewall rules... \nXXX"
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      salt-call state.apply master >>~/sosetup.log 2>&1
+      salt-call state.apply idstools >>~/sosetup.log 2>&1
+      echo -e "XXX\n40\nInstalling Redis... \nXXX"
+      salt-call state.apply redis >>~/sosetup.log 2>&1
+      if [[ $OSQUERY == '1' ]]; then
+        echo -e "XXX\n41\nInstalling MySQL... \nXXX"
+        salt-call state.apply mysql >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
+      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      salt-call state.apply logstash >>~/sosetup.log 2>&1
+      salt-call state.apply kibana >>~/sosetup.log 2>&1
+      salt-call state.apply elastalert >>~/sosetup.log 2>&1
+      if [[ $WAZUH == '1' ]]; then
+        echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
+        salt-call state.apply wazuh >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
+      salt-call state.apply filebeat >>~/sosetup.log 2>&1
+      salt-call state.apply utility >>~/sosetup.log 2>&1
+      salt-call state.apply schedule >>~/sosetup.log 2>&1
+      if [[ $OSQUERY == '1' ]]; then
+        echo -e "XXX\n79\nInstalling Fleet... \nXXX"
+        salt-call state.apply fleet >>~/sosetup.log 2>&1
+        salt-call state.apply launcher >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
+      salt-call state.apply soctopus >>~/sosetup.log 2>&1
+      if [[ $THEHIVE == '1' ]]; then
+        echo -e "XXX\n87\nInstalling TheHive... \nXXX"
+        salt-call state.apply hive >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
+      checkin_at_boot >>~/sosetup.log 2>&1
+      echo -e "XXX\n95\nVerifying Install... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
+
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+    else
+      whiptail_setup_failed
+    fi
+
+  fi
+
+  ####################
+  ##     Sensor     ##
+  ####################
+
+  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
+    whiptail_management_nic
+    filter_nics
+    whiptail_bond_nics
+    whiptail_management_server
+    whiptail_master_updates
+    set_updates
+    whiptail_homenet_sensor
+    whiptail_sensor_config
+    # Calculate lbprocs so we can call it in the prompts
+    calculate_useable_cores
+    if [ $NSMSETUP == 'ADVANCED' ]; then
+      whiptail_bro_pins
+      whiptail_suricata_pins
+      whiptail_bond_nics_mtu
+    else
+      whiptail_basic_bro
+      whiptail_basic_suri
+    fi
+    whiptail_make_changes
+    clear_master
+    mkdir -p /nsm
+    get_filesystem_root
+    get_filesystem_nsm
+    copy_ssh_key
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
+      create_bond >>~/sosetup.log 2>&1
+      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
+      sensor_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
+      saltify >>~/sosetup.log 2>&1
+      echo -e "XXX\n20\nInstalling Docker... \nXXX"
+      docker_install >>~/sosetup.log 2>&1
+      echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
+      configure_minion sensor >>~/sosetup.log 2>&1
+      echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
+      copy_minion_pillar sensors >>~/sosetup.log 2>&1
+      echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
+      salt_firstcheckin >>~/sosetup.log 2>&1
+      echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
+      # Accept the Salt Key
+      accept_salt_key_remote >>~/sosetup.log 2>&1
+      echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n35\nInstalling Core Components... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      echo -e "XXX\n50\nInstalling PCAP... \nXXX"
+      salt-call state.apply pcap >>~/sosetup.log 2>&1
+      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
+      salt-call state.apply suricata >>~/sosetup.log 2>&1
+      echo -e "XXX\n80\nVerifying Install... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
+      checkin_at_boot >>~/sosetup.log 2>&1
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+    else
+      whiptail_setup_failed
+    fi
+  fi
+
+  #######################
+  ##     Eval Mode     ##
+  #######################
+
+  if [ $INSTALLTYPE == 'EVALMODE' ]; then
+    # Select the management NIC
+    whiptail_management_nic
+
+    # Filter out the management NIC
+    filter_nics
+
+    # Select which NICs are in the bond
+    whiptail_bond_nics
+
+    # Snag the HOME_NET
+    whiptail_homenet_master
+    whiptail_eval_adv_warning
+    whiptail_enable_components
+
+    # Set a bunch of stuff since this is eval
+    es_heapsize
+    ls_heapsize
+    NODE_ES_HEAP_SIZE="600m"
+    NODE_LS_HEAP_SIZE="2000m"
+    LSPIPELINEWORKERS=1
+    LSPIPELINEBATCH=125
+    LSINPUTTHREADS=1
+    LSINPUTBATCHCOUNT=125
+    RULESETUP=ETOPEN
+    NSMSETUP=BASIC
+    NIDS=Suricata
+    BROVERSION=ZEEK
+    CURCLOSEDAYS=30
+    process_components
+    whiptail_make_changes
+    #eval_mode_hostsfile
+    generate_passwords
+    auth_pillar
+    clear_master
+    mkdir -p /nsm
+    get_filesystem_root
+    get_filesystem_nsm
+    get_log_size_limit
+    get_main_ip
+    # Add the user so we can sit back and relax
+    echo ""
+    echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
+    echo ""
+    add_socore_user_master
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
+      create_bond >>~/sosetup.log 2>&1
+      echo -e "XXX\n1\nInstalling saltstack... \nXXX"
+      saltify >>~/sosetup.log 2>&1
+      echo -e "XXX\n3\nInstalling docker... \nXXX"
+      docker_install >>~/sosetup.log 2>&1
+      echo -e "XXX\n5\nInstalling master code... \nXXX"
+      install_master >>~/sosetup.log 2>&1
+      echo -e "XXX\n6\nCopying salt code... \nXXX"
+      salt_master_directories >>~/sosetup.log 2>&1
+      echo -e "XXX\n6\nupdating suduers... \nXXX"
+      update_sudoers >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nFixing some permissions... \nXXX"
+      chown_salt_master >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nCreating the static pillar... \nXXX"
+      # Set the static values
+      master_static >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nCreating the master pillar... \nXXX"
+      master_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nConfiguring minion... \nXXX"
+      configure_minion eval >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
+      set_node_type >>~/sosetup.log 2>&1
+      echo -e "XXX\n7\nStorage node pillar... \nXXX"
+      node_pillar >>~/sosetup.log 2>&1
+      echo -e "XXX\n8\nCreating firewall policies... \nXXX"
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      echo -e "XXX\n10\nRegistering agent... \nXXX"
+      salt_firstcheckin >>~/sosetup.log 2>&1
+      echo -e "XXX\n11\nAccepting Agent... \nXXX"
+      accept_salt_key_local >>~/sosetup.log 2>&1
+      echo -e "XXX\n12\nRunning the SSL states... \nXXX"
+      salt_checkin >>~/sosetup.log 2>&1
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n15\nInstalling core components... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      echo -e "XXX\n25\nInstalling master components... \nXXX"
+      salt-call state.apply master >>~/sosetup.log 2>&1
+      salt-call state.apply idstools >>~/sosetup.log 2>&1
+      if [[ $OSQUERY == '1' ]]; then
+        salt-call state.apply mysql >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
+      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      echo -e "XXX\n40\nInstalling Logstash... \nXXX"
+      salt-call state.apply logstash >>~/sosetup.log 2>&1
+      echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX"
+      salt-call state.apply kibana >>~/sosetup.log 2>&1
+      echo -e "XXX\n50\nInstalling pcap... \nXXX"
+      salt-call state.apply pcap >>~/sosetup.log 2>&1
+      echo -e "XXX\n52\nInstalling Suricata... \nXXX"
+      salt-call state.apply suricata >>~/sosetup.log 2>&1
+      echo -e "XXX\n54\nInstalling Zeek... \nXXX"
+      salt-call state.apply bro >>~/sosetup.log 2>&1
+      echo -e "XXX\n56\nInstalling curator... \nXXX"
+      salt-call state.apply curator >>~/sosetup.log 2>&1
+      echo -e "XXX\n58\nInstalling elastalert... \nXXX"
+      salt-call state.apply elastalert >>~/sosetup.log 2>&1
+      if [[ $OSQUERY == '1' ]]; then
+        echo -e "XXX\n60\nInstalling fleet... \nXXX"
+        salt-call state.apply fleet >>~/sosetup.log 2>&1
+        salt-call state.apply redis >>~/sosetup.log 2>&1
+      fi
+      if [[ $WAZUH == '1' ]]; then
+        echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
+        salt-call state.apply wazuh >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n85\nInstalling filebeat... \nXXX"
+      salt-call state.apply filebeat >>~/sosetup.log 2>&1
+      salt-call state.apply utility >>~/sosetup.log 2>&1
+      echo -e "XXX\n95\nInstalling misc components... \nXXX"
+      salt-call state.apply schedule >>~/sosetup.log 2>&1
+      salt-call state.apply soctopus >>~/sosetup.log 2>&1
+      if [[ $THEHIVE == '1' ]]; then
+        salt-call state.apply hive >>~/sosetup.log 2>&1
+      fi
+      echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
+      checkin_at_boot >>~/sosetup.log 2>&1
+      echo -e "XXX\n99\nVerifying Setup... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
+
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    if [ $OS == 'centos' ]; then
+      if [[ $GOODSETUP == '1' ]]; then
+        whiptail_setup_complete
+      else
+        whiptail_setup_failed
+      fi
+    else
+      if [[ $GOODSETUP == '0' ]]; then
+        whiptail_setup_complete
+      else
+        whiptail_setup_failed
+      fi
+    fi
+  fi
+
+  ###################
+  ##     Nodes     ##
+  ###################
+
+  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'PARSINGNODE' ] || [ $INSTALLTYPE == 'HOTNODE' ] || [ $INSTALLTYPE == 'WARMNODE' ]; then
+    whiptail_management_nic
+    whiptail_management_server
+    whiptail_master_updates
+    set_updates
+    get_log_size_limit
+    CURCLOSEDAYS=30
+    es_heapsize
+    ls_heapsize
+    whiptail_node_advanced
+    if [ $NODESETUP == 'NODEADVANCED' ]; then
+      whiptail_node_es_heap
+      whiptail_node_ls_heap
+      whiptail_node_ls_pipeline_worker
+      whiptail_node_ls_pipline_batchsize
+      whiptail_node_ls_input_threads
+      whiptail_node_ls_input_batch_count
+      whiptail_cur_close_days
+      whiptail_log_size_limit
+    else
+      NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
+      NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
+      LSPIPELINEWORKERS=$CPUCORES
+      LSPIPELINEBATCH=125
+      LSINPUTTHREADS=1
+      LSINPUTBATCHCOUNT=125
+    fi
+    whiptail_make_changes
+    clear_master
+    mkdir -p /nsm
+    get_filesystem_root
+    get_filesystem_nsm
+    copy_ssh_key
+    {
+      sleep 0.5
+      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
+      set_initial_firewall_policy >>~/sosetup.log 2>&1
+      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
+      saltify >>~/sosetup.log 2>&1
+      echo -e "XXX\n20\nInstalling Docker... \nXXX"
+      docker_install >>~/sosetup.log 2>&1
+      echo -e "XXX\n30\nInitializing Minion... \nXXX"
+      configure_minion node >>~/sosetup.log 2>&1
+      set_node_type >>~/sosetup.log 2>&1
+      node_pillar >>~/sosetup.log 2>&1
+      copy_minion_pillar nodes >>~/sosetup.log 2>&1
+      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
+      salt_firstcheckin >>~/sosetup.log 2>&1
+      # Accept the Salt Key
+      accept_salt_key_remote >>~/sosetup.log 2>&1
+      echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
+      salt-call state.apply ca >>~/sosetup.log 2>&1
+      salt-call state.apply ssl >>~/sosetup.log 2>&1
+      echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
+      salt-call state.apply common >>~/sosetup.log 2>&1
+      salt-call state.apply firewall >>~/sosetup.log 2>&1
+      echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
+      salt-call state.apply logstash >>~/sosetup.log 2>&1
+      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
+      salt-call state.apply curator >>~/sosetup.log 2>&1
+      salt-call state.apply filebeat >>~/sosetup.log 2>&1
+      echo -e "XXX\n90\nVerifying Install... \nXXX"
+      salt-call state.highstate >>~/sosetup.log 2>&1
+      checkin_at_boot >>~/sosetup.log 2>&1
+
+    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
+    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
+    if [[ $GOODSETUP == '0' ]]; then
+      whiptail_setup_complete
+    else
+      whiptail_setup_failed
+    fi
+
+    set_initial_firewall_policy
+    saltify
+    docker_install
+    configure_minion node
+    set_node_type
+    node_pillar
+    copy_minion_pillar nodes
+    salt_checkin
+    # Accept the Salt Key
+    accept_salt_key_remote
+    # Do the big checkin but first let them know it will take a bit.
+    salt_checkin_message
+    salt_checkin
+    checkin_at_boot
+
+    whiptail_setup_complete
+  fi
+
+else
+    exit
+fi

From 33f21509ea46191bd8434744cf0ad788714a978c Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 6 Jun 2019 11:08:22 -0400
Subject: [PATCH 11/66] Sensoroni Master - Enable

---
 salt/top.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/top.sls b/salt/top.sls
index 0b22afa03..e9c7a1360 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -35,6 +35,7 @@ base:
     - logstash
     - kibana
     - pcap
+    - sensoroni
     - suricata
     - bro
     - curator
@@ -64,6 +65,7 @@ base:
     - master
     - idstools
     - redis
+    - sensoroni
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}

From 1ef679c19e9839485cb3870940dcafdd46057f9c Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 6 Jun 2019 16:36:25 -0400
Subject: [PATCH 12/66] Common Module - Fix Dashboard issue

---
 salt/common/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index b582deda2..546f423f4 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -355,7 +355,7 @@ dashboard-{{ SN }}:
     - defaults:
       SERVERNAME: {{ SN }}
       MANINT: {{ SNDATA.manint }}
-      MONINT: {{ SNDATA.monint }}
+      MONINT: {{ SNDATA.manint }}
       CPUS: {{ SNDATA.totalcpus }}
       UID: {{ SNDATA.guid }}
       ROOTFS: {{ SNDATA.rootfs }}

From 6b219710b1b3ee676d94764ba0fd6fbe10d34ade Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 6 Jun 2019 20:41:19 -0400
Subject: [PATCH 13/66] Sensoroni Module - Fix docker version

---
 salt/sensoroni/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index 1d00dec90..d3375c54a 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -21,7 +21,7 @@ so-sensoroni:
   docker_container.running:
     - require:
       - so-sensoroniimage
-    - image: soshybridhunter/so-sensoroni:HH1.0.8
+    - image: soshybridhunter/so-sensoroni:HH1.1.0
     - hostname: sensoroni
     - name: so-sensoroni
     - binds:

From 8036c8b236d2eb19e9930d30fa5c854dc6d8a92d Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Jun 2019 11:16:56 -0400
Subject: [PATCH 14/66] Sensoroni Module - Add Valid Configs

---
 salt/pcap/files/sensoroni-agent.conf | 18 ++++++++++++++++++
 salt/sensoroni/files/sensoroni.conf  | 26 +++++++++++++++++++++++++-
 so-setup-network.sh                  |  4 +++-
 3 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 salt/pcap/files/sensoroni-agent.conf

diff --git a/salt/pcap/files/sensoroni-agent.conf b/salt/pcap/files/sensoroni-agent.conf
new file mode 100644
index 000000000..0afe2333c
--- /dev/null
+++ b/salt/pcap/files/sensoroni-agent.conf
@@ -0,0 +1,18 @@
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
+{
+  "logFilename": "sensoroni.log",
+  "agent": {
+    "pollIntervalMs": 10000,
+    "serverUrl": "https://{{ MASTERIP }}/sensoroniagents",
+    "modules": {
+      "statickeyauth": {
+        "apiKey": "{{ SENSORONIKEY }}"
+      },
+      "stenoquery": {
+        "pcapInputPath": "/nsm/pcap",
+        "pcapOutputPath": "/nsm/pcapoutput"
+      }
+    }
+  }
+}
diff --git a/salt/sensoroni/files/sensoroni.conf b/salt/sensoroni/files/sensoroni.conf
index 7904b3cc1..db240fa91 100644
--- a/salt/sensoroni/files/sensoroni.conf
+++ b/salt/sensoroni/files/sensoroni.conf
@@ -1 +1,25 @@
-# Config File if Needed
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
+{
+  "logFilename": "sensoroni-server.log",
+  "server": {
+    "bindAddress": "{{ MASTERIP }}:9822",
+    "maxPacketCount": 5000,
+    "htmlDir": "html",
+    "modules": {
+      "filedatastore": {
+        "jobDir": "jobs"
+      },
+      "securityonion": {
+        "elasticsearchHost": "http://{{ MASTERIP }}:9200",
+        "elasticsearchUsername": "",
+        "elasticsearchPassword": "",
+        "elasticsearchVerifyCert": false
+      },
+      "statickeyauth": {
+        "anonymousCidr": "{{ MASTERIP }}/32",
+        "apiKey": "{{ SENSORONIKEY }}"
+      }
+    }
+  }
+}
diff --git a/so-setup-network.sh b/so-setup-network.sh
index 1459963ad..1570e418c 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -253,7 +253,7 @@ create_bond_nmcli() {
   if [ $NSMSETUP != 'ADVANCED' ]; then
     MTU=1500
   fi
-  
+
   # Create the bond interface
   nmcli con add type bond ifname bond0 con-name "bond0" \
     bond.options "mode=0" \
@@ -472,6 +472,7 @@ generate_passwords(){
   MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
   FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
   HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+  SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
 }
 
 get_filesystem_nsm(){
@@ -619,6 +620,7 @@ master_static() {
   echo "  hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
   echo "  hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
   echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
+  echo "  sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
   if [[ $MASTERUPDATES == 'MASTER' ]]; then
     echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
   else

From dbdacf5bf817371341ef8c7a9b0adff6a5c81499 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Jun 2019 14:34:19 -0400
Subject: [PATCH 15/66] Common Module - Update Sensoroni reverse proxy config

---
 salt/common/nginx/nginx.conf.so-eval   | 21 +++++++++++++++++++++
 salt/common/nginx/nginx.conf.so-master | 22 ++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index 3b0a0d4a1..8f3ff4c31 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -157,6 +157,27 @@ http {
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
 
+        }
+        location /sensoroni/ {
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /sensoroniagents/ {
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
         }
         error_page 404 /404.html;
             location = /40x.html {
diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index c0eada231..89a5a1300 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -159,6 +159,28 @@ http {
 
         }
 
+        location /sensoroni/ {
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
+        location /sensoroniagents/ {
+          proxy_pass http://{{ masterip }}:9822/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }

From 087656631774000c7feebc70c0563881529b1e4b Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Jun 2019 18:27:03 -0400
Subject: [PATCH 16/66] Filebeat Module - Change port for internal filebeat
 traffic

---
 salt/filebeat/etc/filebeat.yml                |  2 +-
 .../files/dynamic/0006_input_hhbeats.conf     | 40 +++++++++++++++++++
 salt/logstash/init.sls                        |  1 +
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 salt/logstash/files/dynamic/0006_input_hhbeats.conf

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 31a5b3503..67fd596c5 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -80,7 +80,7 @@ output.logstash:
   enabled: true
 
   # The Logstash hosts
-  hosts: ["{{ MASTER }}:5044"]
+  hosts: ["{{ MASTER }}:5644"]
 
   # Number of workers per Logstash host.
   worker: 1
diff --git a/salt/logstash/files/dynamic/0006_input_hhbeats.conf b/salt/logstash/files/dynamic/0006_input_hhbeats.conf
new file mode 100644
index 000000000..6b7667f5c
--- /dev/null
+++ b/salt/logstash/files/dynamic/0006_input_hhbeats.conf
@@ -0,0 +1,40 @@
+input {
+  beats {
+    port => "5644"
+    ssl => true
+    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
+    ssl_certificate => "/usr/share/logstash/filebeat.crt"
+    ssl_key => "/usr/share/logstash/filebeat.key"
+    tags => [ "beat" ]
+  }
+}
+filter {
+  if [type] == "ids" or [type] =~ "bro" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "sensor_name" => "%{[beat][name]}" }
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+  }
+  if [type] =~ "ossec" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_field => { "syslog-host_from" => "%{[beat][name]}" }
+      remove_field => [ "beat", "prospector", "input", "offset" ]
+    }
+   }
+    if [type] == "osquery" {
+    mutate {
+      rename => { "host" => "beat_host" }
+      remove_tag => ["beat"]
+      add_tag => ["osquery"]
+        	}
+   json {
+    source => "message"
+    target => "osquery"
+        }
+  }
+}
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index eff920150..4e7e441a8 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -163,6 +163,7 @@ so-logstash:
     - port_bindings:
       - 0.0.0.0:514:514
       - 0.0.0.0:5044:5044
+      - 0.0.0.0:5644:5644
       - 0.0.0.0:6050:6050
       - 0.0.0.0:6051:6051
       - 0.0.0.0:6052:6052

From d9b1caf04495b7f2c237fabacc052000a51cf1b0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Jun 2019 18:33:09 -0400
Subject: [PATCH 17/66] Logstash Module - Add new input conf

---
 salt/logstash/conf/conf.enabled.txt.so-eval   | 1 +
 salt/logstash/conf/conf.enabled.txt.so-master | 1 +
 2 files changed, 2 insertions(+)

diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval b/salt/logstash/conf/conf.enabled.txt.so-eval
index d8eae00e6..973897c5f 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -13,6 +13,7 @@
 #/usr/share/logstash/pipeline.so/0003_input_syslog.conf
 #/usr/share/logstash/pipeline.so/0005_input_suricata.conf
 /usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+/usr/share/logstash/pipeline.dynamic/0006_input_hhbeats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 #/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
 #/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-master b/salt/logstash/conf/conf.enabled.txt.so-master
index c33e46abe..c9e7ec9ef 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-master
+++ b/salt/logstash/conf/conf.enabled.txt.so-master
@@ -13,5 +13,6 @@
 /usr/share/logstash/pipeline.so/0003_input_syslog.conf
 /usr/share/logstash/pipeline.so/0005_input_suricata.conf
 /usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+/usr/share/logstash/pipeline.dynamic/0006_input_hhbeats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 /usr/share/logstash/pipeline.dynamic/9999_output_redis.conf

From 9c1e128ca0e3f582db9e036195835f2035839dff Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Jun 2019 18:44:10 -0400
Subject: [PATCH 18/66] Logstash Module - Add new input conf

---
 salt/logstash/conf/conf.enabled.txt.so-eval                     | 2 +-
 salt/logstash/conf/conf.enabled.txt.so-master                   | 2 +-
 .../{0006_input_hhbeats.conf => 0010_input_hhbeats.conf}        | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename salt/logstash/files/dynamic/{0006_input_hhbeats.conf => 0010_input_hhbeats.conf} (100%)

diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval b/salt/logstash/conf/conf.enabled.txt.so-eval
index 973897c5f..9e74b959b 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -13,8 +13,8 @@
 #/usr/share/logstash/pipeline.so/0003_input_syslog.conf
 #/usr/share/logstash/pipeline.so/0005_input_suricata.conf
 /usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
-/usr/share/logstash/pipeline.dynamic/0006_input_hhbeats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
+/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
 #/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
 #/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
 #/usr/share/logstash/pipeline.so/1002_preprocess_json.conf
diff --git a/salt/logstash/conf/conf.enabled.txt.so-master b/salt/logstash/conf/conf.enabled.txt.so-master
index c9e7ec9ef..37fa8cacc 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-master
+++ b/salt/logstash/conf/conf.enabled.txt.so-master
@@ -13,6 +13,6 @@
 /usr/share/logstash/pipeline.so/0003_input_syslog.conf
 /usr/share/logstash/pipeline.so/0005_input_suricata.conf
 /usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
-/usr/share/logstash/pipeline.dynamic/0006_input_hhbeats.conf
+/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 /usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/logstash/files/dynamic/0006_input_hhbeats.conf b/salt/logstash/files/dynamic/0010_input_hhbeats.conf
similarity index 100%
rename from salt/logstash/files/dynamic/0006_input_hhbeats.conf
rename to salt/logstash/files/dynamic/0010_input_hhbeats.conf

From c2f1bb919e9d4db28993751510867c8029236377 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Jun 2019 18:48:05 -0400
Subject: [PATCH 19/66] Firewall Module - Add new beats port for hh traffic

---
 salt/firewall/init.sls | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 4ac7dc0c9..6cb0751e2 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -315,6 +315,17 @@ enable_forwardnode_beats_5044_{{ip}}:
     - position: 1
     - save: True
 
+enable_forwardnode_beats_5644_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5644
+    - position: 1
+    - save: True
+
 enable_forwardnode_sensoroni_9822_{{ip}}:
   iptables.insert:
     - table: filter

From 65ccef72b8a0892a9d6657bcabe50b04ce27aa59 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 10 Jun 2019 18:49:29 -0400
Subject: [PATCH 20/66] Firewall Module - Add 443 for sensoroni

---
 salt/firewall/init.sls | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 6cb0751e2..bd6a4ebe2 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -326,6 +326,17 @@ enable_forwardnode_beats_5644_{{ip}}:
     - position: 1
     - save: True
 
+enable_forwardnode_sensoroni_443_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 443
+    - position: 1
+    - save: True
+
 enable_forwardnode_sensoroni_9822_{{ip}}:
   iptables.insert:
     - table: filter

From 9df2e1690bdd0010aeb9cd38eb91aa2757dc8881 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 11 Jun 2019 14:13:49 -0400
Subject: [PATCH 21/66] Sensoroni Module - Wired up with new docker

---
 salt/sensoroni/init.sls | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index d3375c54a..fbfc110f7 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -5,6 +5,13 @@ sensoronidir:
     - group: 939
     - makedirs: True
 
+sensoronidatadir:
+  file.directory:
+    - name: /nsm/sensoroni/jobs
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 sensoronisync:
   file.recurse:
     - name: /opt/so/conf/sensoroni
@@ -25,6 +32,7 @@ so-sensoroni:
     - hostname: sensoroni
     - name: so-sensoroni
     - binds:
-      - /opt/so/conf/sensoroni:/sensoroni:rw
+      - /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
+      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
     - port_bindings:
       - 0.0.0.0:9822:9822

From f5343b114e2560b503be55890e94844c9eb005cb Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 11 Jun 2019 14:52:14 -0400
Subject: [PATCH 22/66] Sensoroni Module - Add log file

---
 salt/sensoroni/files/{sensoroni.conf => sensoroni.json} | 0
 salt/sensoroni/init.sls                                 | 9 +++++++++
 2 files changed, 9 insertions(+)
 rename salt/sensoroni/files/{sensoroni.conf => sensoroni.json} (100%)

diff --git a/salt/sensoroni/files/sensoroni.conf b/salt/sensoroni/files/sensoroni.json
similarity index 100%
rename from salt/sensoroni/files/sensoroni.conf
rename to salt/sensoroni/files/sensoroni.json
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index fbfc110f7..e84dea38a 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -12,6 +12,13 @@ sensoronidatadir:
     - group: 939
     - makedirs: True
 
+sensoronilogdir:
+  file.directory:
+    - name: /opt/so/log/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 sensoronisync:
   file.recurse:
     - name: /opt/so/conf/sensoroni
@@ -31,8 +38,10 @@ so-sensoroni:
     - image: soshybridhunter/so-sensoroni:HH1.1.0
     - hostname: sensoroni
     - name: so-sensoroni
+    - user: socore
     - binds:
       - /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
       - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/log/sensoroni/sensoroni-server.log:/opt/sensoroni/sensoroni-server.log:rw
     - port_bindings:
       - 0.0.0.0:9822:9822

From 61d681eb65ae5b356c68b4200eca0c35f3a06d56 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 12 Jun 2019 14:29:47 -0400
Subject: [PATCH 23/66] Sensoroni Module - Add watch statement and recreate
 docker

---
 salt/sensoroni/files/sensoroni.json | 6 +++---
 salt/sensoroni/init.sls             | 6 ++++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json
index db240fa91..d53fe0a66 100644
--- a/salt/sensoroni/files/sensoroni.json
+++ b/salt/sensoroni/files/sensoroni.json
@@ -1,9 +1,9 @@
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
 {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
 {
-  "logFilename": "sensoroni-server.log",
+  "logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
   "server": {
-    "bindAddress": "{{ MASTERIP }}:9822",
+    "bindAddress": "0.0.0.0:9822",
     "maxPacketCount": 5000,
     "htmlDir": "html",
     "modules": {
@@ -17,7 +17,7 @@
         "elasticsearchVerifyCert": false
       },
       "statickeyauth": {
-        "anonymousCidr": "{{ MASTERIP }}/32",
+        "anonymousCidr": "172.17.0.0/24",
         "apiKey": "{{ SENSORONIKEY }}"
       }
     }
diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index e84dea38a..e40058e97 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -38,10 +38,12 @@ so-sensoroni:
     - image: soshybridhunter/so-sensoroni:HH1.1.0
     - hostname: sensoroni
     - name: so-sensoroni
-    - user: socore
     - binds:
       - /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
       - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/log/sensoroni/sensoroni-server.log:/opt/sensoroni/sensoroni-server.log:rw
+      - /opt/so/log/sensoroni/:/opt/sensoroni/log/:rw
     - port_bindings:
       - 0.0.0.0:9822:9822
+    - force: True
+    - watch:
+      - file: /opt/so/conf/sensoroni/sensoroni.json

From f8af24509dac5baf5ad2416ba79b6731e7ac030b Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 12 Jun 2019 14:58:41 -0400
Subject: [PATCH 24/66] Sensoroni Module - Add watch statement and recreate
 docker

---
 salt/sensoroni/init.sls | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls
index e40058e97..9c6cf1906 100644
--- a/salt/sensoroni/init.sls
+++ b/salt/sensoroni/init.sls
@@ -44,6 +44,5 @@ so-sensoroni:
       - /opt/so/log/sensoroni/:/opt/sensoroni/log/:rw
     - port_bindings:
       - 0.0.0.0:9822:9822
-    - force: True
     - watch:
-      - file: /opt/so/conf/sensoroni/sensoroni.json
+      - file: /opt/so/conf/sensoroni

From ce976852bfdfcb2cca37445210c08fb52172a8af Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 12 Jun 2019 15:00:09 -0400
Subject: [PATCH 25/66] Redis Module - Remove a legacy docker download

---
 salt/redis/init.sls | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 369f39966..8f9e18fb6 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -44,9 +44,6 @@ redisconfsync:
     - group: 939
     - template: jinja
 
-toosmooth/so-redis:test2:
-  docker_image.present
-
 so-redisimage:
  cmd.run:
    - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7

From db63898f21c4b32795d299a7f8c93a4847fdaf8b Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 12 Jun 2019 15:01:02 -0400
Subject: [PATCH 26/66] Redis Module - restart the container on config change

---
 salt/redis/init.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index 8f9e18fb6..d13a51a23 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -62,3 +62,5 @@ so-redis:
       - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro
       - /opt/so/conf/redis/working:/redis:rw
     - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
+    - watch:
+      - file: /opt/so/conf/redis/etc

From cbafbe812f2e22d0d4741a369f35e5e87af9f090 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 12 Jun 2019 15:03:24 -0400
Subject: [PATCH 27/66] Core Module - restart influx if config changed

---
 salt/common/init.sls | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 546f423f4..998d4bce0 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -242,6 +242,8 @@ so-influxdb:
       - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
     - port_bindings:
       - 0.0.0.0:8086:8086
+    - watch:
+      - file: /opt/so/conf/influxdb/etc/influxdb.conf
 
 # Grafana all the things
 grafanadir:

From feefc0723592b95a8c3f5cdf5283cee61720222f Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 17 Jun 2019 18:09:46 -0400
Subject: [PATCH 28/66] HH Alpha Initial Push

---
 salt/elasticsearch/init.sls                        |  4 ++--
 salt/filebeat/init.sls                             |  4 ++--
 salt/kibana/init.sls                               |  4 ++--
 salt/logstash/init.sls                             |  4 ++--
 .../files/{sensoroni-agent.conf => sensoroni.json} |  2 +-
 salt/pcap/init.sls                                 | 14 ++++++++++++--
 6 files changed, 21 insertions(+), 11 deletions(-)
 rename salt/pcap/files/{sensoroni-agent.conf => sensoroni.json} (92%)

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index 3c6337afc..c05cb83e4 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -92,13 +92,13 @@ eslogdir:
 
 so-elasticsearchimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.1.0
 
 so-elasticsearch:
   docker_container.running:
     - require:
       - so-elasticsearchimage
-    - image: soshybridhunter/so-elasticsearch:HH1.0.6
+    - image: soshybridhunter/so-elasticsearch:HH1.1.0
     - hostname: elasticsearch
     - name: so-elasticsearch
     - user: elasticsearch
diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index d8abb6470..f14e71772 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -51,13 +51,13 @@ filebeatconfsync:
 
 so-filebeatimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.1.0
 
 so-filebeat:
   docker_container.running:
     - require:
       - so-filebeatimage
-    - image: soshybridhunter/so-filebeat:HH1.0.6
+    - image: soshybridhunter/so-filebeat:HH1.1.0
     - hostname: so-filebeat
     - user: root
     - extra_hosts: {{ MASTER }}:{{ MASTERIP }}
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index f1015410e..7a403fd11 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -56,14 +56,14 @@ synckibanacustom:
 
 so-kibanaimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.1.0
 
 # Start the kibana docker
 so-kibana:
   docker_container.running:
     - require:
       - so-kibanaimage
-    - image: soshybridhunter/so-kibana:HH1.0.7
+    - image: soshybridhunter/so-kibana:HH1.1.0
     - hostname: kibana
     - user: kibana
     - environment:
diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls
index 4e7e441a8..302598a45 100644
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -148,13 +148,13 @@ lslogdir:
 # Add the container
 so-logstashimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.1.0
 
 so-logstash:
   docker_container.running:
     - require:
       - so-logstashimage
-    - image: soshybridhunter/so-logstash:HH1.0.6
+    - image: soshybridhunter/so-logstash:HH1.1.0
     - hostname: so-logstash
     - name: so-logstash
     - user: logstash
diff --git a/salt/pcap/files/sensoroni-agent.conf b/salt/pcap/files/sensoroni.json
similarity index 92%
rename from salt/pcap/files/sensoroni-agent.conf
rename to salt/pcap/files/sensoroni.json
index 0afe2333c..e57a56d44 100644
--- a/salt/pcap/files/sensoroni-agent.conf
+++ b/salt/pcap/files/sensoroni.json
@@ -1,7 +1,7 @@
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
 {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
 {
-  "logFilename": "sensoroni.log",
+  "logFilename": "log/sensoroni.log",
   "agent": {
     "pollIntervalMs": 10000,
     "serverUrl": "https://{{ MASTERIP }}/sensoroniagents",
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index bb381cb10..3aede1607 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -44,6 +44,15 @@ stenoconf:
     - mode: 644
     - template: jinja
 
+sensoroniagentconf:
+  file.managed:
+    - name: /opt/so/conf/steno/sensoroni.json
+    - source: salt://pcap/files/sensoroni.json
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+
 stenoca:
   file.directory:
     - name: /opt/so/conf/steno/certs
@@ -87,13 +96,13 @@ stenolog:
 
 so-stenoimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.1.0
 
 so-steno:
   docker_container.running:
     - require:
       - so-stenoimage
-    - image: soshybridhunter/so-steno:HH1.0.3
+    - image: soshybridhunter/so-steno:HH1.1.0
     - network_mode: host
     - privileged: True
     - port_bindings:
@@ -106,3 +115,4 @@ so-steno:
       - /nsm/pcaptmp:/tmp:rw
       - /nsm/pcapout:/nsm/pcapout:rw
       - /opt/so/log/stenographer:/var/log/stenographer:rw
+      - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro

From ad2cbcbc59e6e6863ee35ef2cef52b1efdbe4bb8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 17 Jun 2019 19:51:47 -0400
Subject: [PATCH 29/66] PCAP Module - Fix Cert stuff

---
 salt/pcap/files/sensoroni.json | 4 ++--
 salt/pcap/init.sls             | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json
index e57a56d44..d35cfb067 100644
--- a/salt/pcap/files/sensoroni.json
+++ b/salt/pcap/files/sensoroni.json
@@ -1,10 +1,10 @@
-{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+{%- set MASTER = grains['master'] -%}
 {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
 {
   "logFilename": "log/sensoroni.log",
   "agent": {
     "pollIntervalMs": 10000,
-    "serverUrl": "https://{{ MASTERIP }}/sensoroniagents",
+    "serverUrl": "https://{{ MASTER }}/sensoroniagents",
     "modules": {
       "statickeyauth": {
         "apiKey": "{{ SENSORONIKEY }}"
diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 3aede1607..7467cabcd 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -116,3 +116,5 @@ so-steno:
       - /nsm/pcapout:/nsm/pcapout:rw
       - /opt/so/log/stenographer:/var/log/stenographer:rw
       - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+    - watch:
+      - /opt/so/conf/steno/sensoroni.json

From e5d3ad847e3ade18adc7e9dc05cf8685973940bb Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 18 Jun 2019 09:26:51 -0400
Subject: [PATCH 30/66] PCAP Module - Disable cert verify

---
 salt/pcap/files/sensoroni.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json
index d35cfb067..213ffefa1 100644
--- a/salt/pcap/files/sensoroni.json
+++ b/salt/pcap/files/sensoroni.json
@@ -5,6 +5,7 @@
   "agent": {
     "pollIntervalMs": 10000,
     "serverUrl": "https://{{ MASTER }}/sensoroniagents",
+    "verifyCert": false,
     "modules": {
       "statickeyauth": {
         "apiKey": "{{ SENSORONIKEY }}"

From 02d49c83763bfa70f221d41413a65e1c696dfd0b Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 18 Jun 2019 10:10:58 -0400
Subject: [PATCH 31/66] PCAP module - add log dir for sensoroni

---
 salt/pcap/init.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls
index 7467cabcd..5a67a6ec6 100644
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -116,5 +116,6 @@ so-steno:
       - /nsm/pcapout:/nsm/pcapout:rw
       - /opt/so/log/stenographer:/var/log/stenographer:rw
       - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/log/stenographer:/opt/sensoroni/log:rw
     - watch:
       - /opt/so/conf/steno/sensoroni.json

From f8b6b752b680c6e31ab14f3416a3d475c2c9ef18 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 18 Jun 2019 10:30:00 -0400
Subject: [PATCH 32/66] Logstash - Fix filebeat

---
 salt/logstash/conf/conf.enabled.txt.so-eval | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/logstash/conf/conf.enabled.txt.so-eval b/salt/logstash/conf/conf.enabled.txt.so-eval
index 9e74b959b..e7680b3be 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-eval
+++ b/salt/logstash/conf/conf.enabled.txt.so-eval
@@ -12,7 +12,7 @@
 #/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
 #/usr/share/logstash/pipeline.so/0003_input_syslog.conf
 #/usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 /usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
 #/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf

From ecd75d121b153ab47d8093346922a17a7a91c93d Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 19 Jun 2019 09:15:12 -0400
Subject: [PATCH 33/66] PCAP module - fix logging for sensoroni

---
 salt/pcap/files/sensoroni.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json
index 213ffefa1..62742f1a9 100644
--- a/salt/pcap/files/sensoroni.json
+++ b/salt/pcap/files/sensoroni.json
@@ -1,7 +1,7 @@
 {%- set MASTER = grains['master'] -%}
 {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
 {
-  "logFilename": "log/sensoroni.log",
+  "logFilename": "/opt/sensoroni/log/sensoroni.log",
   "agent": {
     "pollIntervalMs": 10000,
     "serverUrl": "https://{{ MASTER }}/sensoroniagents",

From b6fd6fa2cccc3fab01344b398a62cfad06aea373 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 19 Jun 2019 22:10:09 -0400
Subject: [PATCH 34/66] PCAP module - fix dir

---
 salt/logstash/conf/conf.enabled.txt.so-master | 2 +-
 salt/pcap/files/sensoroni.json                | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/logstash/conf/conf.enabled.txt.so-master b/salt/logstash/conf/conf.enabled.txt.so-master
index 37fa8cacc..6464496fa 100644
--- a/salt/logstash/conf/conf.enabled.txt.so-master
+++ b/salt/logstash/conf/conf.enabled.txt.so-master
@@ -12,7 +12,7 @@
 /usr/share/logstash/pipeline.so/0002_input_windows_json.conf
 /usr/share/logstash/pipeline.so/0003_input_syslog.conf
 /usr/share/logstash/pipeline.so/0005_input_suricata.conf
-/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
+#/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
 /usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
 /usr/share/logstash/pipeline.so/0007_input_import.conf
 /usr/share/logstash/pipeline.dynamic/9999_output_redis.conf
diff --git a/salt/pcap/files/sensoroni.json b/salt/pcap/files/sensoroni.json
index 62742f1a9..be2577c0a 100644
--- a/salt/pcap/files/sensoroni.json
+++ b/salt/pcap/files/sensoroni.json
@@ -2,6 +2,7 @@
 {%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
 {
   "logFilename": "/opt/sensoroni/log/sensoroni.log",
+  "logLevel":"debug",
   "agent": {
     "pollIntervalMs": 10000,
     "serverUrl": "https://{{ MASTER }}/sensoroniagents",
@@ -12,7 +13,7 @@
       },
       "stenoquery": {
         "pcapInputPath": "/nsm/pcap",
-        "pcapOutputPath": "/nsm/pcapoutput"
+        "pcapOutputPath": "/nsm/pcapout"
       }
     }
   }

From 8a4180a8ed96acc4f7c66a52e8b2dec53335dc21 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 20 Jun 2019 11:21:04 -0400
Subject: [PATCH 35/66] Setup script - install nmcli on Ubuntu

---
 so-setup-network.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 1570e418c..a5f2d6f5c 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -382,6 +382,7 @@ detect_os() {
     yum -y install bind-utils
   elif [ -f /etc/os-release ]; then
     OS=ubuntu
+    apt install -y network-manager
   else
     echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1
     exit

From e2967a1255cf1709ee5d4b9884cb4d9f07597a5c Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 20 Jun 2019 11:39:34 -0400
Subject: [PATCH 36/66] Setup script - enable network manager

---
 so-setup-network.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index a5f2d6f5c..7830c4857 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -383,6 +383,8 @@ detect_os() {
   elif [ -f /etc/os-release ]; then
     OS=ubuntu
     apt install -y network-manager
+    /bin/systemctl enable network-manager
+    /bin/systemctl start network-manager
   else
     echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1
     exit

From 919272bb8d3a267de62999a46d48217be89a938d Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 20 Jun 2019 16:37:33 -0400
Subject: [PATCH 37/66] Sensoroni - Move up to start earlier

---
 salt/top.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/top.sls b/salt/top.sls
index e9c7a1360..f3f8c0a73 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -25,6 +25,7 @@ base:
     - ca
     - ssl
     - common
+    - sensoroni
     - firewall
     - master
     - idstools
@@ -35,7 +36,6 @@ base:
     - logstash
     - kibana
     - pcap
-    - sensoroni
     - suricata
     - bro
     - curator
@@ -61,11 +61,11 @@ base:
     - ca
     - ssl
     - common
+    - sensoroni
     - firewall
     - master
     - idstools
     - redis
-    - sensoroni
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}

From 36f2756ae2e25f8d2c7a1dd2ca111ee00f1b7961 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 21 Jun 2019 16:16:12 -0400
Subject: [PATCH 38/66] Added initial code to account for different nmcli
 versions

---
 so-setup-network.sh | 59 +++++++++++++++++++++++++++++++--------------
 1 file changed, 41 insertions(+), 18 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 7830c4857..21c4c7c2f 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -254,27 +254,50 @@ create_bond_nmcli() {
     MTU=1500
   fi
 
-  # Create the bond interface
-  nmcli con add type bond ifname bond0 con-name "bond0" \
-    bond.options "mode=0" \
-    802-3-ethernet.mtu $MTU \
-    ipv4.method "disabled" \
-    ipv6.method "ignore" \
-    connection.autoconnect "yes" \
-    >> $SETUPLOG 2>&1
+  NMCLI_VER=$(nmcli -v | sed 's/nmcli tool, version 1\.//g' | awk -F '\\.' '{print $1}')
 
-  for BNIC in ${BNICS[@]}; do
-    # Strip the quotes from the NIC names
-    BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
-    # Create the slave interface and assign it to the bond
-    nmcli con add type ethernet ifname $BONDNIC master bond0 \
-      connection.autoconnect "yes" \
+  if [[ $NMCLI_VER -lt 12 ]]
+  then # We are using an older version of nmcli
+    
+    # Create the bond interface
+    nmcli con add ifname bond0 con-name "bond0" type bond
+    nmcli con mod bond0 bond.options "mode=0"
+    nmcli con mod bond0 ethernet.mtu $MTU
+    nmcli con mod bond0 ipv4.method "disabled"
+    nmcli con mod bond0 ipv6.method "ignore"
+    nmcli con mod bond0 connection.autoconnect "yes"
+
+    for BNIC in ${BNICS[@]}; do
+      # Strip the quotes from the NIC names
+      BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
+      # Create the slave interface and assign it to the bond
+      nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0
+      nmcli con mod bond0-slave-$BONDNIC ethernet.mtu $MTU
+      nmcli con mod bond0-slave-$BONDNIC connection.autoconnect "yes"
+    done
+  else
+    # Create the bond interface
+    nmcli con add type bond ifname bond0 con-name "bond0" \
+      bond.options "mode=0" \
       802-3-ethernet.mtu $MTU \
-      con-name "bond0-slave-$BONDNIC" \
+      ipv4.method "disabled" \
+      ipv6.method "ignore" \
+      connection.autoconnect "yes" \
       >> $SETUPLOG 2>&1
-    # Bring the slave interface up
-    nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
-  done
+
+    for BNIC in ${BNICS[@]}; do
+      # Strip the quotes from the NIC names
+      BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
+      # Create the slave interface and assign it to the bond
+      nmcli con add type ethernet ifname $BONDNIC master bond0 \
+        connection.autoconnect "yes" \
+        802-3-ethernet.mtu $MTU \
+        con-name "bond0-slave-$BONDNIC" \
+        >> $SETUPLOG 2>&1
+      # Bring the slave interface up
+      nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
+    done
+  fi
 }
 
 create_bond() {

From 625668e2592d7613b0b88d67025046305efad06a Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 24 Jun 2019 10:21:14 -0400
Subject: [PATCH 39/66] Added logging syntax and fixed bond interface bring up

We should bring the bond connections up after creating them
---
 so-setup-network.sh | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 21c4c7c2f..93a57b386 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -260,20 +260,21 @@ create_bond_nmcli() {
   then # We are using an older version of nmcli
     
     # Create the bond interface
-    nmcli con add ifname bond0 con-name "bond0" type bond
-    nmcli con mod bond0 bond.options "mode=0"
-    nmcli con mod bond0 ethernet.mtu $MTU
-    nmcli con mod bond0 ipv4.method "disabled"
-    nmcli con mod bond0 ipv6.method "ignore"
-    nmcli con mod bond0 connection.autoconnect "yes"
+    nmcli con add ifname bond0 con-name "bond0" type bond >> $SETUPLOG 2>&1
+    nmcli con mod bond0 bond.options "mode=0" >> $SETUPLOG 2>&1
+    nmcli con mod bond0 ethernet.mtu $MTU >> $SETUPLOG 2>&1
+    nmcli con mod bond0 ipv4.method "disabled" >> $SETUPLOG 2>&1
+    nmcli con mod bond0 ipv6.method "ignore" >> $SETUPLOG 2>&1
+    nmcli con mod bond0 connection.autoconnect "yes" >> $SETUPLOG 2>&1
 
     for BNIC in ${BNICS[@]}; do
       # Strip the quotes from the NIC names
       BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
       # Create the slave interface and assign it to the bond
-      nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0
-      nmcli con mod bond0-slave-$BONDNIC ethernet.mtu $MTU
-      nmcli con mod bond0-slave-$BONDNIC connection.autoconnect "yes"
+      nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 >> $SETUPLOG 2>&1
+      nmcli con mod bond0-slave-$BONDNIC ethernet.mtu $MTU >> $SETUPLOG 2>&1
+      nmcli con mod bond0-slave-$BONDNIC connection.autoconnect "yes" >> $SETUPLOG 2>&1
+      nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
     done
   else
     # Create the bond interface

From 1b3c5f8b7923c36367d65f1bcc02ef058eacc92d Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Mon, 24 Jun 2019 12:14:07 -0400
Subject: [PATCH 40/66] Fixed slave -> bond issues and standardized syntax for
 nmcli so it works on any version

---
 so-setup-network.sh | 44 +++++++++-----------------------------------
 1 file changed, 9 insertions(+), 35 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 93a57b386..55fff5e70 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -254,35 +254,11 @@ create_bond_nmcli() {
     MTU=1500
   fi
 
-  NMCLI_VER=$(nmcli -v | sed 's/nmcli tool, version 1\.//g' | awk -F '\\.' '{print $1}')
-
-  if [[ $NMCLI_VER -lt 12 ]]
-  then # We are using an older version of nmcli
-    
-    # Create the bond interface
-    nmcli con add ifname bond0 con-name "bond0" type bond >> $SETUPLOG 2>&1
-    nmcli con mod bond0 bond.options "mode=0" >> $SETUPLOG 2>&1
-    nmcli con mod bond0 ethernet.mtu $MTU >> $SETUPLOG 2>&1
-    nmcli con mod bond0 ipv4.method "disabled" >> $SETUPLOG 2>&1
-    nmcli con mod bond0 ipv6.method "ignore" >> $SETUPLOG 2>&1
-    nmcli con mod bond0 connection.autoconnect "yes" >> $SETUPLOG 2>&1
-
-    for BNIC in ${BNICS[@]}; do
-      # Strip the quotes from the NIC names
-      BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
-      # Create the slave interface and assign it to the bond
-      nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 >> $SETUPLOG 2>&1
-      nmcli con mod bond0-slave-$BONDNIC ethernet.mtu $MTU >> $SETUPLOG 2>&1
-      nmcli con mod bond0-slave-$BONDNIC connection.autoconnect "yes" >> $SETUPLOG 2>&1
-      nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
-    done
-  else
-    # Create the bond interface
-    nmcli con add type bond ifname bond0 con-name "bond0" \
-      bond.options "mode=0" \
-      802-3-ethernet.mtu $MTU \
-      ipv4.method "disabled" \
-      ipv6.method "ignore" \
+# Create the bond interface
+    nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
+      ipv4.method disabled \
+      ipv6.method link-local \
+      ethernet.mtu $MTU \
       connection.autoconnect "yes" \
       >> $SETUPLOG 2>&1
 
@@ -290,15 +266,13 @@ create_bond_nmcli() {
       # Strip the quotes from the NIC names
       BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
       # Create the slave interface and assign it to the bond
-      nmcli con add type ethernet ifname $BONDNIC master bond0 \
-        connection.autoconnect "yes" \
-        802-3-ethernet.mtu $MTU \
-        con-name "bond0-slave-$BONDNIC" \
-        >> $SETUPLOG 2>&1
+      nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \
+      ethernet.mtu $MTU \
+      connection.autoconnect "yes" \
+      >> $SETUPLOG 2>&1
       # Bring the slave interface up
       nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
     done
-  fi
 }
 
 create_bond() {

From eb5e0a53df9cbc356fdcdf9f8bfeab2090b06825 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 25 Jun 2019 10:17:23 -0400
Subject: [PATCH 41/66] Bro Module - Update to 2.6.2

---
 salt/bro/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/bro/init.sls b/salt/bro/init.sls
index eada1103c..734255536 100644
--- a/salt/bro/init.sls
+++ b/salt/bro/init.sls
@@ -125,13 +125,13 @@ localbrosync:
 
 so-broimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.1.0
 
 so-bro:
   docker_container.running:
     - require:
       - so-broimage
-    - image: soshybridhunter/so-bro:HH1.0.6
+    - image: soshybridhunter/so-bro:HH1.1.0
     - privileged: True
     - binds:
       - /nsm/bro/logs:/nsm/bro/logs:rw

From d5c889e4848fee344691a2c4e95af31ed0b5829d Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 25 Jun 2019 10:32:38 -0400
Subject: [PATCH 42/66] Curator Module - Update tag to alpha

---
 salt/curator/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/curator/init.sls b/salt/curator/init.sls
index 7e6f01544..5c788b891 100644
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -114,13 +114,13 @@ curdel:
 
 so-curatorimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.1.0
 
 so-curator:
   docker_container.running:
     - require:
       - so-curatorimage
-    - image: soshybridhunter/so-curator:HH1.0.3
+    - image: soshybridhunter/so-curator:HH1.1.0
     - hostname: curator
     - name: so-curator
     - user: curator

From 276db9ed509608b1979b94616d047630bb81c8bd Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 26 Jun 2019 11:16:29 -0400
Subject: [PATCH 43/66] Elastalert Module - Update tag to alpha

---
 salt/elastalert/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls
index 298a56523..301aa9459 100644
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -81,13 +81,13 @@ elastarules:
 
 so-elastalertimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.1.0
 
 so-elastalert:
   docker_container.running:
     - require:
       - so-elastalertimage
-    - image: soshybridhunter/so-elastalert:HH1.0.3
+    - image: soshybridhunter/so-elastalert:HH1.1.0
     - hostname: elastalert
     - name: so-elastalert
     - user: elastalert

From 30b21488b0d24119dc0c016114848562c84e2fa6 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 26 Jun 2019 11:20:55 -0400
Subject: [PATCH 44/66] Fleet Module - Update tag to alpha

---
 salt/fleet/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index 2ec83502b..83c019880 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -61,13 +61,13 @@ fleetdbpriv:
 
 so-fleetimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.1.0
 
 so-fleet:
   docker_container.running:
     - require:
       - so-fleetimage
-    - image: soshybridhunter/so-fleet:HH1.0.6
+    - image: soshybridhunter/so-fleet:HH1.1.0
     - hostname: so-fleet
     - port_bindings:
       - 0.0.0.0:8080:8080

From 6e29c383335b5ebd613f5a6572b04f2506ec6a0a Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 26 Jun 2019 11:22:21 -0400
Subject: [PATCH 45/66] idstools Module - Update tag to alpha

---
 salt/idstools/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 17de745fb..7878f4f77 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -50,13 +50,13 @@ ruleslink:
 
 so-idstoolsimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.1.0
 
 so-idstools:
   docker_container.running:
     - require:
       - so-idstoolsimage
-    - image: soshybridhunter/so-idstools:HH1.0.3
+    - image: soshybridhunter/so-idstools:HH1.1.0
     - hostname: so-idstools
     - user: socore
     - binds:

From f03124ae13f4c336c516f26405e887a5ffeb5f72 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 26 Jun 2019 11:37:33 -0400
Subject: [PATCH 46/66] MySQL Module - Update tag to alpha

---
 salt/mysql/init.sls | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls
index f956a37bc..4ade15f33 100644
--- a/salt/mysql/init.sls
+++ b/salt/mysql/init.sls
@@ -50,13 +50,13 @@ mysqldatadir:
 
 so-mysqlimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.1.0
 
 so-mysql:
   docker_container.running:
     - require:
       - so-mysqlimage
-    - image: soshybridhunter/so-mysql:HH1.0.7
+    - image: soshybridhunter/so-mysql:HH1.1.0
     - hostname: so-mysql
     - user: socore
     - port_bindings:

From 9ba5f6782811e4767cfd559cc4f9fe544f994d6f Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 26 Jun 2019 13:16:49 -0400
Subject: [PATCH 47/66] Update all containers to alpha except so-core

---
 salt/common/init.sls   | 14 +++++++++-----
 salt/hive/init.sls     |  8 ++++----
 salt/redis/init.sls    |  4 ++--
 salt/soctopus/init.sls |  4 ++--
 salt/suricata/init.sls |  4 ++--
 salt/wazuh/init.sls    |  4 ++--
 6 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 998d4bce0..49008c9e7 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -164,13 +164,13 @@ tgrafconf:
 
 so-telegrafimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.1.0
 
 so-telegraf:
   docker_container.running:
     - require:
       - so-telegrafimage
-    - image: soshybridhunter/so-telegraf:HH1.0.7
+    - image: soshybridhunter/so-telegraf:HH1.1.0
     - environment:
       - HOST_PROC=/host/proc
       - HOST_ETC=/host/etc
@@ -225,13 +225,13 @@ influxdbconf:
 
 so-influximage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.1.0
 
 so-influxdb:
   docker_container.running:
     - require:
       - so-influximage
-    - image: soshybridhunter/so-influxdb:HH1.0.7
+    - image: soshybridhunter/so-influxdb:HH1.1.0
     - hostname: influxdb
     - environment:
       - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -388,9 +388,13 @@ dashboard-{{ SN }}:
 {% endif %}
 
 # Install the docker. This needs to be behind nginx at some point
+so-grafanaimage:
+ cmd.run:
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-grafana:HH1.1.0
+
 so-grafana:
   docker_container.running:
-    - image: soshybridhunter/so-grafana:HH1.0.8
+    - image: soshybridhunter/so-grafana:HH1.1.0
     - hostname: grafana
     - user: socore
     - binds:
diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 81032b401..7d3862782 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -33,13 +33,13 @@ hiveesdata:
 
 so-thehive-esimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.1.0
 
 so-thehive-es:
   docker_container.running:
     - require:
       - so-thehive-esimage
-    - image: soshybridhunter/so-thehive-es:HH1.0.7
+    - image: soshybridhunter/so-thehive-es:HH1.1.0
     - hostname: so-thehive-es
     - name: so-thehive-es
     - user: 939
@@ -81,13 +81,13 @@ so-thehive-es:
 
 so-thehiveimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.8
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.1.0
 
 so-thehive:
   docker_container.running:
     - require:
       - so-thehiveimage
-    - image: soshybridhunter/so-thehive:HH1.0.8
+    - image: soshybridhunter/so-thehive:HH1.1.0
     - environment:
       - ELASTICSEARCH_HOST={{ MASTERIP }}
     - hostname: so-thehive
diff --git a/salt/redis/init.sls b/salt/redis/init.sls
index d13a51a23..174c1725b 100644
--- a/salt/redis/init.sls
+++ b/salt/redis/init.sls
@@ -46,13 +46,13 @@ redisconfsync:
 
 so-redisimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.1.0
 
 so-redis:
   docker_container.running:
     - require:
       - so-redisimage
-    - image: soshybridhunter/so-redis:HH1.0.7
+    - image: soshybridhunter/so-redis:HH1.1.0
     - hostname: so-redis
     - user: socore
     - port_bindings:
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index ed2ce8900..22b21eb8f 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -15,13 +15,13 @@ soctopussync:
 
 so-soctopusimage:
   cmd.run:
-    - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8
+    - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.1.0
 
 so-soctopus:
   docker_container.running:
     - require:
       - so-soctopusimage
-    - image: soshybridhunter/so-soctopus:HH1.0.8
+    - image: soshybridhunter/so-soctopus:HH1.1.0
     - hostname: soctopus
     - name: so-soctopus
     - binds:
diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls
index 0453988f0..2739f4318 100644
--- a/salt/suricata/init.sls
+++ b/salt/suricata/init.sls
@@ -72,13 +72,13 @@ suriconfigsync:
 
 so-suricataimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.1.0
 
 so-suricata:
   docker_container.running:
     - require:
       - so-suricataimage
-    - image: soshybridhunter/so-suricata:HH1.0.8
+    - image: soshybridhunter/so-suricata:HH1.1.0
     - privileged: True
     - environment:
       - INTERFACE={{ interface }}
diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls
index eb0fa5cb9..4ff937c08 100644
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -58,13 +58,13 @@ wazuhagentregister:
 
 so-wazuhimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.1.0
 
 so-wazuh:
   docker_container.running:
     - require:
       - so-wazuhimage
-    - image: soshybridhunter/so-wazuh:HH1.0.7
+    - image: soshybridhunter/so-wazuh:HH1.1.0
     - hostname: {{HOSTNAME}}-wazuh-manager
     - name: so-wazuh
     - detach: True

From 186defe0e2f2a9bff06c83dbf4ff4c40990667f1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 15 Jul 2019 15:39:43 -0400
Subject: [PATCH 48/66] Core Module - Add htpasswd love

---
 salt/common/init.sls                   |  2 ++
 salt/common/nginx/nginx.conf.so-master | 10 ++++++++++
 salt/common/tools/sbin/so-user-add     | 17 +++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-user-add

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 49008c9e7..c344dbb68 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -41,9 +41,11 @@ sensorpkgs:
       {% if grains['os'] != 'CentOS' %}
       - python-docker
       - python-m2crypto
+      - apache2-utils
       {% else %}
       - net-tools
       - tcpdump
+      - httpd-tools
       {% endif %}
 
 # Always keep these packages up to date
diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index 89a5a1300..6e512b191 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -88,6 +88,8 @@ http {
     #    }
 
         location /grafana/ {
+          auth_basic            “Security Onion”;
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
@@ -100,6 +102,8 @@ http {
         }
 
         location /kibana/ {
+          auth_basic            “Security Onion”;
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
@@ -126,6 +130,8 @@ http {
 
         location /fleet/ {
 	  rewrite /fleet/(.*) /$1 break;
+          auth_basic            “Security Onion”;
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -137,6 +143,8 @@ http {
         }
 
         location /thehive/ {
+          auth_basic            “Security Onion”;
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -160,6 +168,8 @@ http {
         }
 
         location /sensoroni/ {
+          auth_basic            “Security Onion”;
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
diff --git a/salt/common/tools/sbin/so-user-add b/salt/common/tools/sbin/so-user-add
new file mode 100644
index 000000000..930e02d7d
--- /dev/null
+++ b/salt/common/tools/sbin/so-user-add
@@ -0,0 +1,17 @@
+#!/bin/bash
+USERNAME=$1
+
+# Make sure a username is provided
+[ $# -eq 0 ] && { echo "Usage: $0 username"; exit 1; }
+
+# If the file is there already lets create it otherwise add the user
+if [ ! -f /opt/so/conf/nginx/.htpasswd ]; then
+
+  # Create the password file
+  htpasswd -c /opt/so/conf/nginx/.htpasswd $USERNAME
+
+else
+
+  htpasswd /opt/so/conf/nginx/.htpasswd $USERNAME
+
+fi

From e0e6e2193a47795b89d844cd2ffebcda80e54ed1 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 15 Jul 2019 21:55:48 -0400
Subject: [PATCH 49/66] Core Module - Fix NGinx config

---
 salt/common/init.sls                   | 10 ++++++++++
 salt/common/nginx/nginx.conf.so-eval   | 10 ++++++++++
 salt/common/nginx/nginx.conf.so-master | 10 +++++-----
 3 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index c344dbb68..cf04a6b9b 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -63,6 +63,16 @@ alwaysupdated:
 Etc/UTC:
   timezone.system
 
+# Sync some Utilities
+utilsyncscripts:
+  file.recurse:
+    - name: /usr/sbin
+    - user: 0
+    - group: 0
+    - file_mode: 755
+    - template: jinja
+    - source: salt://common/tools/sbin
+
 # Make sure Docker is running!
 docker:
   service.running:
diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index 8f3ff4c31..5c924110c 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -88,6 +88,8 @@ http {
     #    }
 
         location /grafana/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
@@ -100,6 +102,8 @@ http {
         }
 
         location /kibana/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
@@ -125,6 +129,8 @@ http {
         }
 
         location /fleet/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /fleet/(.*) /$1 break;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
@@ -137,6 +143,8 @@ http {
         }
 
         location /thehive/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
@@ -159,6 +167,8 @@ http {
 
         }
         location /sensoroni/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index 6e512b191..7f922d72a 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -88,7 +88,7 @@ http {
     #    }
 
         location /grafana/ {
-          auth_basic            “Security Onion”;
+          auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
@@ -102,7 +102,7 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            “Security Onion”;
+          auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /kibana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:5601/;
@@ -130,7 +130,7 @@ http {
 
         location /fleet/ {
 	  rewrite /fleet/(.*) /$1 break;
-          auth_basic            “Security Onion”;
+          auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass https://{{ masterip }}:8080/;
           proxy_read_timeout    90;
@@ -143,7 +143,7 @@ http {
         }
 
         location /thehive/ {
-          auth_basic            “Security Onion”;
+          auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
@@ -168,7 +168,7 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            “Security Onion”;
+          auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;

From 7c9af420a7373caa4c33e6c8a206788005dfa1ad Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 15 Jul 2019 22:25:50 -0400
Subject: [PATCH 50/66] Core Module - Update versions for alpha

---
 salt/common/init.sls | 2 +-
 salt/master/init.sls | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index cf04a6b9b..9ea7c34d4 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -122,7 +122,7 @@ so-core:
   docker_container.running:
     - require:
       - so-coreimage
-    - image: soshybridhunter/so-core:HH1.0.8
+    - image: soshybridhunter/so-core:HH1.1.0
     - hostname: so-core
     - user: socore
     - binds:
diff --git a/salt/master/init.sls b/salt/master/init.sls
index b6d240863..8b68a3cf1 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -48,14 +48,14 @@ acngcopyconf:
 
 so-acngimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.1.0
 
 # Install the apt-cacher-ng container
 so-aptcacherng:
   docker_container.running:
     - require:
       - so-acngimage
-    - image: soshybridhunter/so-acng:HH1.0.7
+    - image: soshybridhunter/so-acng:HH1.1.0
     - hostname: so-acng
     - port_bindings:
       - 0.0.0.0:3142:3142

From b98d5e369432fa9981b74f3d78dac081321f7d1c Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 15 Jul 2019 22:31:02 -0400
Subject: [PATCH 51/66] Remove ISO install script

---
 so-setup-iso.sh | 2032 -----------------------------------------------
 1 file changed, 2032 deletions(-)
 delete mode 100644 so-setup-iso.sh

diff --git a/so-setup-iso.sh b/so-setup-iso.sh
deleted file mode 100644
index b31e86369..000000000
--- a/so-setup-iso.sh
+++ /dev/null
@@ -1,2032 +0,0 @@
-#!/bin/bash
-
-# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Global Variable Section
-HOSTNAME=$(cat /etc/hostname)
-TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'`
-NICS=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
-CPUCORES=$(cat /proc/cpuinfo | grep processor | wc -l)
-LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}')
-RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
-NODE_ES_PORT="9200"
-
-# Reset the Install Log
-date -u >~/sosetup.log 2>&1
-
-# End Global Variable Section
-
-# Functions
-
-accept_salt_key_local() {
-  echo "Accept the key locally on the master" >>~/sosetup.log 2>&1
-  # Accept the key locally on the master
-  salt-key -ya $HOSTNAME
-
-}
-
-accept_salt_key_remote() {
-  echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1
-  # Delete the key just in case.
-  ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
-  salt-call state.apply ca
-  ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y
-
-}
-
-add_master_hostfile() {
-  echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1
-  # Pop up an input to get the IP address
-  local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
-
-  # Add the master to the host file if it doesn't resolve
-  if ! grep -q $MSRVIP /etc/hosts; then
-    echo "$MSRVIP   $MSRV" >> /etc/hosts
-  fi
-}
-
-add_socore_user_master() {
-  echo "Add socore on the master" >>~/sosetup.log 2>&1
-  if [ $OS == 'centos' ]; then
-    local ADDUSER=adduser
-  else
-    local ADDUSER=useradd
-  fi
-  # Add user "socore" to the master. This will be for things like accepting keys.
-  groupadd --gid 939 socore
-  $ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore
-  # Prompt the user to set a password for the user
-  passwd socore
-
-}
-
-add_socore_user_notmaster() {
-  echo "Add socore user on non master" >>~/sosetup.log 2>&1
-  # Add socore user to the non master system. Probably not a bad idea to make system user
-  groupadd --gid 939 socore
-  $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
-
-}
-
-# Create an auth pillar so that passwords survive re-install
-auth_pillar(){
-
-  if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
-    echo "Creating Auth Pillar" >>~/sosetup.log 2>&1
-    mkdir -p /opt/so/saltstack/pillar
-    echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
-    echo "  mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
-    echo "  fleet: $FLEETPASS" >> /opt/so/saltstack/pillar/auth.sls
-  fi
-
-}
-
-# Enable Bro Logs
-bro_logs_enabled() {
-  echo "Enabling Bro Logs" >>~/sosetup.log 2>&1
-
-  echo "brologs:" > pillar/brologs.sls
-  echo "  enabled:" >> pillar/brologs.sls
-
-  if [ $MASTERADV == 'ADVANCED' ]; then
-    for BLOG in ${BLOGS[@]}; do
-      echo "    - $BLOG" | tr -d '"' >> pillar/brologs.sls
-    done
-  else
-    echo "    - conn" >> pillar/brologs.sls
-    echo "    - dce_rpc" >> pillar/brologs.sls
-    echo "    - dhcp" >> pillar/brologs.sls
-    echo "    - dhcpv6" >> pillar/brologs.sls
-    echo "    - dnp3" >> pillar/brologs.sls
-    echo "    - dns" >> pillar/brologs.sls
-    echo "    - dpd" >> pillar/brologs.sls
-    echo "    - files" >> pillar/brologs.sls
-    echo "    - ftp" >> pillar/brologs.sls
-    echo "    - http" >> pillar/brologs.sls
-    echo "    - intel" >> pillar/brologs.sls
-    echo "    - irc" >> pillar/brologs.sls
-    echo "    - kerberos" >> pillar/brologs.sls
-    echo "    - modbus" >> pillar/brologs.sls
-    echo "    - mqtt" >> pillar/brologs.sls
-    echo "    - notice" >> pillar/brologs.sls
-    echo "    - ntlm" >> pillar/brologs.sls
-    echo "    - openvpn" >> pillar/brologs.sls
-    echo "    - pe" >> pillar/brologs.sls
-    echo "    - radius" >> pillar/brologs.sls
-    echo "    - rfb" >> pillar/brologs.sls
-    echo "    - rdp" >> pillar/brologs.sls
-    echo "    - signatures" >> pillar/brologs.sls
-    echo "    - sip" >> pillar/brologs.sls
-    echo "    - smb_files" >> pillar/brologs.sls
-    echo "    - smb_mapping" >> pillar/brologs.sls
-    echo "    - smtp" >> pillar/brologs.sls
-    echo "    - snmp" >> pillar/brologs.sls
-    echo "    - software" >> pillar/brologs.sls
-    echo "    - ssh" >> pillar/brologs.sls
-    echo "    - ssl" >> pillar/brologs.sls
-    echo "    - syslog" >> pillar/brologs.sls
-    echo "    - telnet" >> pillar/brologs.sls
-    echo "    - tunnel" >> pillar/brologs.sls
-    echo "    - weird" >> pillar/brologs.sls
-    echo "    - mysql" >> pillar/brologs.sls
-    echo "    - socks" >> pillar/brologs.sls
-    echo "    - x509" >> pillar/brologs.sls
-  fi
-}
-
-calculate_useable_cores() {
-
-  # Calculate reasonable core usage
-  local CORES4BRO=$(( $CPUCORES/2 - 1 ))
-  LBPROCSROUND=$(printf "%.0f\n" $CORES4BRO)
-  # We don't want it to be 0
-  if [ "$LBPROCSROUND" -lt 1 ]; then
-    LBPROCS=1
-  else
-    LBPROCS=$LBPROCSROUND
-  fi
-
-}
-
-checkin_at_boot() {
-  echo "Enabling checkin at boot" >>~/sosetup.log 2>&1
-  echo "startup_states: highstate" >> /etc/salt/minion
-}
-
-chown_salt_master() {
-
-  echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1
-  chown -R socore:socore /opt/so
-
-}
-
-clear_master() {
-  # Clear out the old master public key in case this is a re-install.
-  # This only happens if you re-install the master.
-  if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
-    echo "Clearing old master key" >>~/sosetup.log 2>&1
-    rm /etc/salt/pki/minion/minion_master.pub
-    service salt-minion restart
-  fi
-
-}
-
-configure_minion() {
-
-  # You have to pass the TYPE to this function so it knows if its a master or not
-  local TYPE=$1
-  echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1
-  touch /etc/salt/grains
-  echo "role: so-$TYPE" > /etc/salt/grains
-  if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
-    echo "master: $HOSTNAME" > /etc/salt/minion
-    echo "id: $HOSTNAME" >> /etc/salt/minion
-    echo "mysql.host: '$MAINIP'" >> /etc/salt/minion
-    echo "mysql.port: 3306" >> /etc/salt/minion
-    echo "mysql.user: 'root'" >> /etc/salt/minion
-    if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
-      echo "mysql.pass: '$MYSQLPASS'" >> /etc/salt/minion
-    else
-      OLDPASS=$(cat /opt/so/saltstack/pillar/auth.sls | grep mysql | awk {'print $2'})
-      echo "mysql.pass: '$OLDPASS'" >> /etc/salt/minion
-    fi
-  else
-    echo "master: $MSRV" > /etc/salt/minion
-    echo "id: $HOSTNAME" >> /etc/salt/minion
-
-  fi
-
-  service salt-minion restart
-
-}
-
-copy_master_config() {
-
-  # Copy the master config template to the proper directory
-  cp files/master /etc/salt/master
-  # Restart the service so it picks up the changes -TODO Enable service on CentOS
-  service salt-master restart
-
-}
-
-copy_minion_pillar() {
-
-  # Pass the type so it knows where to copy the pillar
-  local TYPE=$1
-
-  # Copy over the pillar
-  echo "Copying the pillar over" >>~/sosetup.log 2>&1
-  scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
-
-  }
-
-copy_ssh_key() {
-
-  # Generate SSH key
-  mkdir -p /root/.ssh
-  cat /dev/zero | ssh-keygen -f /root/.ssh/so.key -t rsa -q -N ""
-  chown -R $SUDO_USER:$SUDO_USER /root/.ssh
-  #Copy the key over to the master
-  ssh-copy-id -f -i /root/.ssh/so.key socore@$MSRV
-
-}
-
-create_bond() {
-
-  # Create the bond interface
-  echo "Setting up Bond" >>~/sosetup.log 2>&1
-
-  # Set the MTU
-  if [ $NSMSETUP != 'ADVANCED' ]; then
-    MTU=1500
-  fi
-
-  # Do something different based on the OS
-  if [ $OS == 'centos' ]; then
-    modprobe --first-time bonding
-    touch /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "DEVICE=bond0" > /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "NAME=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "Type=Bond" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-
-    # Create Bond configs for the selected monitor interface
-    for BNIC in ${BNICS[@]}; do
-      BONDNIC="${BNIC%\"}"
-      BONDNIC="${BONDNIC#\"}"
-      sed -i 's/ONBOOT=no/ONBOOT=yes/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-      echo "MASTER=bond0" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-      echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-      echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-    done
-    nmcli con reload >>~/sosetup.log 2>&1
-    systemctl restart network >>~/sosetup.log 2>&1
-
-  else
-
-    # Need to add 17.04 support still
-    apt-get -y install ifenslave >>~/sosetup.log 2>&1
-    if ! grep -q bonding /etc/modules; then
-      echo "bonding" >> /etc/modules
-    fi
-    modprobe bonding >>~/sosetup.log 2>&1
-
-    local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
-    local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
-
-    # Backup and create a new interface file
-    cp /etc/network/interfaces /etc/network/interfaces.sosetup
-    echo "source /etc/network/interfaces.d/*" > /etc/network/interfaces
-    echo "" >> /etc/network/interfaces
-
-    # Let's set up the new interface file
-    # Populate lo and create file for the management interface
-    IFS=$'\n'
-    for line in $LBACK
-    do
-      echo $line >> /etc/network/interfaces
-    done
-
-    IFS=$'\n'
-    for line in $MINT
-    do
-      echo $line >> /etc/network/interfaces.d/$MNIC
-    done
-
-    # Create entries for each interface that is part of the bond.
-    for BNIC in ${BNICS[@]}; do
-
-      BNIC=$(echo $BNIC |  cut -d\" -f2)
-      echo "auto $BNIC" >> /etc/network/interfaces.d/$BNIC
-      echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
-      echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
-      echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
-      echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
-      echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
-      echo "  bond-master bond0" >> /etc/network/interfaces.d/$BNIC
-      echo "  mtu $MTU" >> /etc/network/interfaces.d/$BNIC
-
-    done
-
-    BN=("${BNICS[@]//\"/}")
-
-    echo "auto bond0" > /etc/network/interfaces.d/bond0
-    echo "iface bond0 inet manual" >> /etc/network/interfaces.d/bond0
-    echo "  bond-mode 0" >> /etc/network/interfaces.d/bond0
-    echo "  bond-slaves $BN" >> /etc/network/interfaces.d/bond0
-    echo "  mtu $MTU" >> /etc/network/interfaces.d/bond0
-    echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
-    echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
-    echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
-    echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
-  fi
-
-}
-
-detect_os() {
-
-  # Detect Base OS
-  echo "Detecting Base OS" >>~/sosetup.log 2>&1
-  if [ -f /etc/redhat-release ]; then
-    OS=centos
-    yum -y install bind-utils
-  elif [ -f /etc/os-release ]; then
-    OS=ubuntu
-  else
-    echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1
-    exit
-  fi
-
-}
-
-docker_install() {
-
-  if [ $OS == 'centos' ]; then
-    yum clean expire-cache
-    yum -y install yum-utils device-mapper-persistent-data lvm2 openssl
-    yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
-    yum -y update
-    yum -y install docker-ce docker-python python-docker
-    docker_registry
-    echo "Restarting Docker" >>~/sosetup.log 2>&1
-    systemctl restart docker
-    systemctl enable docker
-
-  else
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install docker-ce >>~/sosetup.log 2>&1
-      docker_registry >>~/sosetup.log 2>&1
-      echo "Restarting Docker" >>~/sosetup.log 2>&1
-      systemctl restart docker >>~/sosetup.log 2>&1
-    else
-      apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1
-      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install docker-ce >>~/sosetup.log 2>&1
-      docker_registry >>~/sosetup.log 2>&1
-      echo "Restarting Docker" >>~/sosetup.log 2>&1
-      systemctl restart docker >>~/sosetup.log 2>&1
-    fi
-  fi
-
-}
-
-docker_registry() {
-
-  echo "Setting up Docker Registry" >>~/sosetup.log 2>&1
-  mkdir -p /etc/docker >>~/sosetup.log 2>&1
-  # Make the host use the master docker registry
-  echo "{" > /etc/docker/daemon.json
-  echo "  \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
-  echo "}" >> /etc/docker/daemon.json
-  echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1
-
-}
-
-es_heapsize() {
-
-  # Determine ES Heap Size
-  if [ $TOTAL_MEM -lt 8000 ] ; then
-      ES_HEAP_SIZE="600m"
-  elif [ $TOTAL_MEM -ge 100000 ]; then
-      # Set a max of 25GB for heap size
-      # https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html
-      ES_HEAP_SIZE="25000m"
-  else
-      # Set heap size to 25% of available memory
-      ES_HEAP_SIZE=$(($TOTAL_MEM / 4))"m"
-  fi
-
-}
-
-eval_mode_hostsfile() {
-
-  echo "127.0.0.1   $HOSTNAME" >> /etc/hosts
-
-}
-
-filter_nics() {
-
-  # Filter the NICs that we don't want to see in setup
-  FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
-
-}
-
-generate_passwords(){
-  # Generate Random Passwords for Things
-  MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
-  FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
-  HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
-}
-
-get_filesystem_nsm(){
-  FSNSM=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
-}
-
-get_log_size_limit() {
-
-  DISK_DIR="/"
-  if [ -d /nsm ]; then
-    DISK_DIR="/nsm"
-  fi
-  DISK_SIZE_K=`df $DISK_DIR |grep -v "^Filesystem" | awk '{print $2}'`
-  PERCENTAGE=85
-  DISK_SIZE=DISK_SIZE_K*1000
-  PERCENTAGE_DISK_SPACE=`echo $(($DISK_SIZE*$PERCENTAGE/100))`
-  LOG_SIZE_LIMIT=$(($PERCENTAGE_DISK_SPACE/1000000000))
-
-}
-
-get_filesystem_root(){
-  FSROOT=$(df / | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
-}
-
-get_main_ip() {
-
-  # Get the main IP address the box is using
-  MAINIP=$(ip route get 1 | awk '{print $NF;exit}')
-  MAININT=$(ip route get 1 | awk '{print $5;exit}')
-
-}
-
-got_root() {
-
-  # Make sure you are root
-  if [ "$(id -u)" -ne 0 ]; then
-          echo "This script must be run using sudo!"
-          exit 1
-  fi
-
-}
-
-install_cleanup() {
-
-  # Clean up after ourselves
-  rm -rf /root/installtmp
-
-}
-
-install_prep() {
-
-  # Create a tmp space that isn't in /tmp
-  mkdir /root/installtmp
-  TMP=/root/installtmp
-
-}
-
-install_master() {
-
-  # Install the salt master package
-  if [ $OS == 'centos' ]; then
-    yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1
-
-    # Create a place for the keys for Ubuntu minions
-    mkdir -p /opt/so/gpg
-    wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
-    wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
-    wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
-
-  else
-    apt-get install -y salt-common=2018.3.4+ds-1 salt-master=2018.3.4+ds-1 salt-minion=2018.3.4+ds-1 python-m2crypto
-    apt-mark hold salt-common salt-master salt-minion
-    apt-get install -y python-m2crypto
-  fi
-
-  copy_master_config
-
-}
-
-ls_heapsize() {
-
-  # Determine LS Heap Size
-  if [ $TOTAL_MEM -ge 16000 ] ; then
-      LS_HEAP_SIZE="4192m"
-  else
-      # Set a max of 1GB heap if you have less than 16GB RAM
-      LS_HEAP_SIZE="2g"
-  fi
-
-}
-
-master_pillar() {
-
-  # Create the master pillar
-  touch /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "master:" > /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  mainip: $MAINIP" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  mainint: $MAININT" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  esheap: $ES_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  esclustername: {{ grains.host }}" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  if [ $INSTALLTYPE == 'EVALMODE' ]; then
-    echo "  freq: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    echo "  domainstats: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    echo "  ls_pipeline_batch_size: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    echo "  ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    echo "  ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    echo "  mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-
-  else
-    echo "  freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-    echo "  domainstats: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  fi
-  echo "  lsheap: $LS_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  lsaccessip: 127.0.0.1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  elastalert: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  nids_rules: $RULESETUP" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  oinkcode: $OINKCODE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  #echo "  access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  #echo "  access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  es_port: $NODE_ES_PORT" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  #echo "  mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  #echo "  fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  echo "  thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
-  }
-
-master_static() {
-
-  # Create a static file for global values
-  touch /opt/so/saltstack/pillar/static.sls
-
-  echo "static:" > /opt/so/saltstack/pillar/static.sls
-  echo "  hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls
-  echo "  ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls
-  echo "  proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls
-  echo "  broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls
-  echo "  ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls
-  echo "  masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls
-  echo "  hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
-  echo "  hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
-  echo "  hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
-  echo "  fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
-  if [[ $MASTERUPDATES == 'MASTER' ]]; then
-    echo "  masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
-  else
-    echo "  masterupdate: 0" >> /opt/so/saltstack/pillar/static.sls
-  fi
-}
-
-minio_generate_keys() {
-
-  local charSet="[:graph:]"
-
-  ACCESS_KEY=$(cat /dev/urandom | tr -cd "$charSet" | tr -d \' | tr -d \" | head -c 20)
-  ACCESS_SECRET=$(cat /dev/urandom | tr -cd "$charSet" | tr -d \' | tr -d \" | head -c 40)
-
-}
-
-node_pillar() {
-
-  # Create the node pillar
-  touch $TMP/$HOSTNAME.sls
-  echo "node:" > $TMP/$HOSTNAME.sls
-  echo "  mainip: $MAINIP" >> $TMP/$HOSTNAME.sls
-  echo "  mainint: $MAININT" >> $TMP/$HOSTNAME.sls
-  echo "  esheap: $NODE_ES_HEAP_SIZE" >> $TMP/$HOSTNAME.sls
-  echo "  esclustername: {{ grains.host }}" >> $TMP/$HOSTNAME.sls
-  echo "  lsheap: $NODE_LS_HEAP_SIZE" >> $TMP/$HOSTNAME.sls
-  echo "  ls_pipeline_workers: $LSPIPELINEWORKERS" >> $TMP/$HOSTNAME.sls
-  echo "  ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $TMP/$HOSTNAME.sls
-  echo "  ls_input_threads: $LSINPUTTHREADS" >> $TMP/$HOSTNAME.sls
-  echo "  ls_batch_count: $LSINPUTBATCHCOUNT" >> $TMP/$HOSTNAME.sls
-  echo "  es_shard_count: $SHARDCOUNT" >> $TMP/$HOSTNAME.sls
-  echo "  node_type: $NODETYPE" >> $TMP/$HOSTNAME.sls
-  echo "  es_port: $NODE_ES_PORT" >> $TMP/$HOSTNAME.sls
-  echo "  log_size_limit: $LOG_SIZE_LIMIT" >> $TMP/$HOSTNAME.sls
-  echo "  cur_close_days: $CURCLOSEDAYS" >> $TMP/$HOSTNAME.sls
-
-}
-
-process_components() {
-  CLEAN=${COMPONENTS//\"}
-  GRAFANA=0
-  OSQUERY=0
-  WAZUH=0
-  THEHIVE=0
-
-  IFS=$' '
-  for item in $(echo "$CLEAN"); do
-	  let $item=1
-  done
-  unset IFS
-}
-
-saltify() {
-
-  # Install updates and Salt
-  if [ $OS == 'centos' ]; then
-    ADDUSER=adduser
-
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-      yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
-      cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2018-3.repo
-      sed -i 's/latest/2018.3/g' /etc/yum.repos.d/salt-2018-3.repo
-      cat > /etc/yum.repos.d/wazuh.repo <<\EOF
-[wazuh_repo]
-gpgcheck=1
-gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
-enabled=1
-name=Wazuh repository
-baseurl=https://packages.wazuh.com/3.x/yum/
-protect=1
-EOF
-
-    else
-
-      if [ $MASTERUPDATES == 'MASTER' ]; then
-
-        # Create the GPG Public Key for the Salt Repo
-        echo "-----BEGIN PGP PUBLIC KEY BLOCK-----" > /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "Version: GnuPG v2.0.22 (GNU/Linux)" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "MA==" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "=dtMN" >> /etc/pki/rpm-gpg/saltstack-signing-key
-        echo "-----END PGP PUBLIC KEY BLOCK-----" >> /etc/pki/rpm-gpg/saltstack-signing-key
-
-        # Add the Wazuh Key
-        cat > /etc/pki/rpm-gpg/GPG-KEY-WAZUH <<\EOF
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-
-mQINBFeeyYwBEACyf4VwV8c2++J5BmCl6ofLCtSIW3UoVrF4F+P19k/0ngnSfjWb
-8pSWB11HjZ3Mr4YQeiD7yY06UZkrCXk+KXDlUjMK3VOY7oNPkqzNaP6+8bDwj4UA
-hADMkaXBvWooGizhCoBtDb1bSbHKcAnQ3PTdiuaqF5bcyKk8hv939CHulL2xH+BP
-mmTBi+PM83pwvR+VRTOT7QSzf29lW1jD79v4rtXHJs4KCz/amT/nUm/tBpv3q0sT
-9M9rH7MTQPdqvzMl122JcZST75GzFJFl0XdSHd5PAh2mV8qYak5NYNnwA41UQVIa
-+xqhSu44liSeZWUfRdhrQ/Nb01KV8lLAs11Sz787xkdF4ad25V/Rtg/s4UXt35K3
-klGOBwDnzPgHK/OK2PescI5Ve1z4x1C2bkGze+gk/3IcfGJwKZDfKzTtqkZ0MgpN
-7RGghjkH4wpFmuswFFZRyV+s7jXYpxAesElDSmPJ0O07O4lQXQMROE+a2OCcm0eF
-3+Cr6qxGtOp1oYMOVH0vOLYTpwOkAM12/qm7/fYuVPBQtVpTojjV5GDl2uGq7p0o
-h9hyWnLeNRbAha0px6rXcF9wLwU5n7mH75mq5clps3sP1q1/VtP/Fr84Lm7OGke4
-9eD+tPNCdRx78RNWzhkdQxHk/b22LCn1v6p1Q0qBco9vw6eawEkz1qwAjQARAQAB
-tDFXYXp1aC5jb20gKFdhenVoIFNpZ25pbmcgS2V5KSA8c3VwcG9ydEB3YXp1aC5j
-b20+iQI9BBMBCAAnBQJXnsmMAhsDBQkFo5qABQsJCAcDBRUKCQgLBRYCAwEAAh4B
-AheAAAoJEJaz7l8pERFFHEsQAIaslejcW2NgjgOZuvn1Bht4JFMbCIPOekg4Z5yF
-binRz0wmA7JNaawDHTBYa6L+A2Xneu/LmuRjFRMesqopUukVeGQgHBXbGMzY46eI
-rqq/xgvgWzHSbWweiOX0nn+exbEAM5IyW+efkWNz0e8xM1LcxdYZxkVOqFqkp3Wv
-J9QUKw6z9ifUOx++G8UO307O3hT2f+x4MUoGZeOF4q1fNy/VyBS2lMg2HF7GWy2y
-kjbSe0p2VOFGEZLuu2f5tpPNth9UJiTliZKmgSk/zbKYmSjiVY2eDqNJ4qjuqes0
-vhpUaBjA+DgkEWUrUVXG5yfQDzTiYIF84LknjSJBYSLZ4ABsMjNO+GApiFPcih+B
-Xc9Kx7E9RNsNTDqvx40y+xmxDOzVIssXeKqwO8r5IdG3K7dkt2Vkc/7oHOpcKwE5
-8uASMPiqqMo+t1RVa6Spckp3Zz8REILbotnnVwDIwo2HmgASirMGUcttEJzubaIa
-Mv43GKs8RUH9s5NenC02lfZG7D8WQCz5ZH7yEWrt5bCaQRNDXjhsYE17SZ/ToHi3
-OpWu050ECWOHdxlXNG3dOWIdFDdBJM7UfUNSSOe2Y5RLsWfwvMFGbfpdlgJcMSDV
-X+ienkrtXhBteTu0dwPu6HZTFOjSftvtAo0VIqGQrKMvKelkkdNGdDFLQw2mUDcw
-EQj6uQINBFeeyYwBEADD1Y3zW5OrnYZ6ghTd5PXDAMB8Z1ienmnb2IUzLM+i0yE2
-TpKSP/XYCTBhFa390rYgFO2lbLDVsiz7Txd94nHrdWXGEQfwrbxsvdlLLWk7iN8l
-Fb4B60OfRi3yoR96a/kIPNa0x26+n79LtDuWZ/DTq5JSHztdd9F1sr3h8i5zYmtv
-luj99ZorpwYejbBVUm0+gP0ioaXM37uO56UFVQk3po9GaS+GtLnlgoE5volgNYyO
-rkeIua4uZVsifREkHCKoLJip6P7S3kTyfrpiSLhouEZ7kV1lbMbFgvHXyjm+/AIx
-HIBy+H+e+HNt5gZzTKUJsuBjx44+4jYsOR67EjOdtPOpgiuJXhedzShEO6rbu/O4
-wM1rX45ZXDYa2FGblHCQ/VaS0ttFtztk91xwlWvjTR8vGvp5tIfCi+1GixPRQpbN
-Y/oq8Kv4A7vB3JlJscJCljvRgaX0gTBzlaF6Gq0FdcWEl5F1zvsWCSc/Fv5WrUPY
-5mG0m69YUTeVO6cZS1aiu9Qh3QAT/7NbUuGXIaAxKnu+kkjLSz+nTTlOyvbG7BVF
-a6sDmv48Wqicebkc/rCtO4g8lO7KoA2xC/K/6PAxDrLkVyw8WPsAendmezNfHU+V
-32pvWoQoQqu8ysoaEYc/j9fN4H3mEBCN3QUJYCugmHP0pu7VtpWwwMUqcGeUVwAR
-AQABiQIlBBgBCAAPBQJXnsmMAhsMBQkFo5qAAAoJEJaz7l8pERFFz8IP/jfBxJSB
-iOw+uML+C4aeYxuHSdxmSsrJclYjkw7Asha/fm4Kkve00YAW8TGxwH2kgS72ooNJ
-1Q7hUxNbVyrJjQDSMkRKwghmrPnUM3UyHmE0dq+G2NhaPdFo8rKifLOPgwaWAfSV
-wgMTK86o0kqRbGpXgVIG5eRwv2FcxM3xGfy7sub07J2VEz7Ba6rYQ3NTbPK42AtV
-+wRJDXcgS7y6ios4XQtSbIB5f6GI56zVlwfRd3hovV9ZAIJQ6DKM31wD6Kt/pRun
-DjwMZu0/82JMoqmxX/00sNdDT1S13guCfl1WhBu7y1ja9MUX5OpUzyEKg5sxme+L
-iY2Rhs6CjmbTm8ER4Uj8ydKyVTy8zbumbB6T8IwCAbEMtPxm6pKh/tgLpoJ+Bj0y
-AsGjmhV7R6PKZSDXg7/qQI98iC6DtWc9ibC/QuHLcvm3hz40mBgXAemPJygpxGst
-mVtU7O3oHw9cIUpkbMuVqSxgPFmSSq5vEYkka1CYeg8bOz6aCTuO5J0GDlLrpjtx
-6lyImbZAF/8zKnW19aq5lshT2qJlTQlZRwwDZX5rONhA6T8IEUnUyD4rAIQFwfJ+
-gsXa4ojD/tA9NLdiNeyEcNfyX3FZwXWCtVLXflzdRN293FKamcdnMjVRjkCnp7iu
-7eO7nMgcRoWddeU+2aJFqCoQtKCp/5EKhFey
-=UIVm
------END PGP PUBLIC KEY BLOCK-----
-EOF
-
-        # Proxy is hating on me.. Lets just set it manually
-        echo "[salt-latest]" > /etc/yum.repos.d/salt-latest.repo
-        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-latest.repo
-        echo "baseurl=https://repo.saltstack.com/yum/redhat/7/\$basearch/latest" >> /etc/yum.repos.d/salt-latest.repo
-        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-latest.repo
-        echo "enabled=1" >> /etc/yum.repos.d/salt-latest.repo
-        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-latest.repo
-        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-latest.repo
-
-        # Proxy is hating on me.. Lets just set it manually
-        echo "[salt-2018.3]" > /etc/yum.repos.d/salt-2018-3.repo
-        echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-2018-3.repo
-        echo "baseurl=https://repo.saltstack.com/yum/redhat/7/\$basearch/2018.3" >> /etc/yum.repos.d/salt-2018-3.repo
-        echo "failovermethod=priority" >> /etc/yum.repos.d/salt-2018-3.repo
-        echo "enabled=1" >> /etc/yum.repos.d/salt-2018-3.repo
-        echo "gpgcheck=1" >> /etc/yum.repos.d/salt-2018-3.repo
-        echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-2018-3.repo
-
-        cat > /etc/yum.repos.d/wazuh.repo <<\EOF
-[wazuh_repo]
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH
-enabled=1
-name=Wazuh repository
-baseurl=https://packages.wazuh.com/3.x/yum/
-protect=1
-EOF
-      else
-        yum -y install https://repo.saltstack.com/yum/redhat/salt-repo-latest-2.el7.noarch.rpm
-        cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2018-3.repo
-        sed -i 's/latest/2018.3/g' /etc/yum.repos.d/salt-2018-3.repo
-cat > /etc/yum.repos.d/wazuh.repo <<\EOF
-[wazuh_repo]
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH
-enabled=1
-name=Wazuh repository
-baseurl=https://packages.wazuh.com/3.x/yum/
-protect=1
-EOF
-      fi
-    fi
-
-    yum clean expire-cache
-    yum -y install salt-minion-2018.3.4 yum-utils device-mapper-persistent-data lvm2 openssl
-    yum -y update exclude=salt*
-    systemctl enable salt-minion
-
-    # Nasty hack but required for now
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-      yum -y install salt-master-2018.3.4 python-m2crypto salt-minion-2018.3.4 m2crypto
-      systemctl enable salt-master
-    else
-      yum -y install salt-minion-2018.3.4 python-m2m2crypto m2crypto
-    fi
-    echo "exclude=salt*" >> /etc/yum.conf
-
-  else
-    ADDUSER=useradd
-    DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
-
-    # Add the pre-requisites for installing docker-ce
-    apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >>~/sosetup.log 2>&1
-
-    # Grab the version from the os-release file
-    UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
-
-    # Nasty hack but required for now
-    if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-
-      # Install the repo for salt
-      wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
-      wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2018.3/SALTSTACK-GPG-KEY.pub | apt-key add -
-      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
-      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2018.3 xenial main" > /etc/apt/sources.list.d/saltstack2018.list
-
-      # Lets get the docker repo added
-      curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-      add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
-
-      # Create a place for the keys
-      mkdir -p /opt/so/gpg
-      wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub
-      wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
-      wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
-
-      # Get key and install wazuh
-      curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
-      # Add repo
-      echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
-
-      # Initialize the new repos
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
-      apt-mark hold salt-minion salt-common
-
-    else
-
-      # Copy down the gpg keys and install them from the master
-      mkdir $TMP/gpg
-      scp socore@$MSRV:/opt/so/gpg/* $TMP/gpg
-      apt-key add $TMP/gpg/SALTSTACK-GPG-KEY.pub
-      apt-key add $TMP/gpg/GPG-KEY-WAZUH
-      echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
-      echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
-      # Initialize the new repos
-      apt-get update >>~/sosetup.log 2>&1
-      apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1
-      apt-mark hold salt-minion salt-common
-
-    fi
-
-  fi
-
-}
-
-salt_checkin() {
-  # Master State to Fix Mine Usage
-  if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-  echo "Building Certificate Authority"
-  salt-call state.apply ca >>~/sosetup.log 2>&1
-  echo " *** Restarting Salt to fix any SSL errors. ***"
-  service salt-master restart >>~/sosetup.log 2>&1
-  sleep 5
-  service salt-minion restart >>~/sosetup.log 2>&1
-  sleep 15
-  echo " Applyng a mine hack "
-  sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1
-  echo " Applying SSL state "
-  salt-call state.apply ssl >>~/sosetup.log 2>&1
-  echo "Still Working... Hang in there"
-  #salt-call state.highstate
-
-  else
-
-  # Run Checkin
-  salt-call state.apply ca >>~/sosetup.log 2>&1
-  salt-call state.apply ssl >>~/sosetup.log 2>&1
-  #salt-call state.highstate >>~/sosetup.log 2>&1
-
-  fi
-
-}
-
-salt_checkin_message() {
-
-  # Warn the user that this might take a while
-  echo "####################################################"
-  echo "##                                                ##"
-  echo "##        Applying and Installing everything      ##"
-  echo "##             (This will take a while)           ##"
-  echo "##                                                ##"
-  echo "####################################################"
-
-}
-
-salt_firstcheckin() {
-
-  #First Checkin
-  salt-call state.highstate >>~/sosetup.log 2>&1
-
-}
-
-salt_master_directories() {
-
-  # Create salt paster directories
-  mkdir -p /opt/so/saltstack/salt
-  mkdir -p /opt/so/saltstack/pillar
-
-  # Copy over the salt code and templates
-  cp -R pillar/* /opt/so/saltstack/pillar/
-  chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh
-  chmod +x /opt/so/saltstack/pillar/data/addtotab.sh
-  cp -R salt/* /opt/so/saltstack/salt/
-
-}
-
-sensor_pillar() {
-
-  # Create the sensor pillar
-  touch $TMP/$HOSTNAME.sls
-  echo "sensor:" > $TMP/$HOSTNAME.sls
-  echo "  interface: bond0" >> $TMP/$HOSTNAME.sls
-  echo "  mainip: $MAINIP" >> $TMP/$HOSTNAME.sls
-  echo "  mainint: $MAININT" >> $TMP/$HOSTNAME.sls
-  if [ $NSMSETUP == 'ADVANCED' ]; then
-    echo "  bro_pins:" >> $TMP/$HOSTNAME.sls
-    for PIN in $BROPINS; do
-      PIN=$(echo $PIN |  cut -d\" -f2)
-    echo "    - $PIN" >> $TMP/$HOSTNAME.sls
-    done
-    echo "  suripins:" >> $TMP/$HOSTNAME.sls
-    for SPIN in $SURIPINS; do
-      SPIN=$(echo $SPIN |  cut -d\" -f2)
-    echo "    - $SPIN" >> $TMP/$HOSTNAME.sls
-    done
-  else
-    echo "  bro_lbprocs: $BASICBRO" >> $TMP/$HOSTNAME.sls
-    echo "  suriprocs: $BASICSURI" >> $TMP/$HOSTNAME.sls
-  fi
-  echo "  brobpf:" >> $TMP/$HOSTNAME.sls
-  echo "  pcapbpf:" >> $TMP/$HOSTNAME.sls
-  echo "  nidsbpf:" >> $TMP/$HOSTNAME.sls
-  echo "  master: $MSRV" >> $TMP/$HOSTNAME.sls
-  echo "  mtu: $MTU" >> $TMP/$HOSTNAME.sls
-  if [ $HNSENSOR != 'inherit' ]; then
-  echo "  hnsensor: $HNSENSOR" >> $TMP/$HOSTNAME.sls
-  fi
-  echo "  access_key: $ACCESS_KEY" >> $TMP/$HOSTNAME.sls
-  echo "  access_secret: $ACCESS_SECRET" >>  $TMP/$HOSTNAME.sls
-
-}
-
-set_initial_firewall_policy() {
-
-  get_main_ip
-  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
-    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
-    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
-    /opt/so/saltstack/pillar/data/addtotab.sh mastertab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
-  fi
-
-  if [ $INSTALLTYPE == 'EVALMODE' ]; then
-    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
-    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
-    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls
-    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/storage_nodes.sls
-    /opt/so/saltstack/pillar/data/addtotab.sh evaltab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
-  fi
-
-  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
-  fi
-
-  if [ $INSTALLTYPE == 'STORAGENODE' ]; then
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh storage_nodes $MAINIP
-    ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $HOSTNAME $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
-  fi
-
-  if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
-    echo "blah"
-  fi
-
-  if [ $INSTALLTYPE == 'HOTNODE' ]; then
-    echo "blah"
-  fi
-
-  if [ $INSTALLTYPE == 'WARMNODE' ]; then
-    echo "blah"
-  fi
-
-}
-
-set_node_type() {
-
-  # Determine the node type based on whiplash choice
-  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-    NODETYPE='storage'
-  fi
-  if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
-    NODETYPE='parser'
-  fi
-  if [ $INSTALLTYPE == 'HOTNODE' ]; then
-    NODETYPE='hot'
-  fi
-  if [ $INSTALLTYPE == 'WARMNODE' ]; then
-    NODETYPE='warm'
-  fi
-
-}
-
-set_updates() {
-  echo "MASTERUPDATES is $MASTERUPDATES"
-  if [ $MASTERUPDATES == 'MASTER' ]; then
-    if [ $OS == 'centos' ]; then
-      if ! grep -q $MSRV /etc/yum.conf; then
-      echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
-    fi
-
-    else
-
-    # Set it up so the updates roll through the master
-    echo "Acquire::http::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy
-    echo "Acquire::https::Proxy \"http://$MSRV:3142\";" >> /etc/apt/apt.conf.d/00Proxy
-
-  fi
-    fi
-}
-
-update_sudoers() {
-
-  if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
-    # Update Sudoers so that socore can accept keys without a password
-    echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers
-    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | sudo tee -a /etc/sudoers
-    echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | sudo tee -a /etc/sudoers
-  else
-    echo "User socore already granted sudo privileges"
-  fi
-
-}
-
-###########################################
-##                                       ##
-##         Whiptail Menu Section         ##
-##                                       ##
-###########################################
-
-whiptail_basic_bro() {
-
-  BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter the number of bro processes:" 10 60 $LBPROCS 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_basic_suri() {
-
-  BASICSURI=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter the number of Suricata Processes:" 10 60 $LBPROCS 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_bro_pins() {
-
-  BROPINS=$(whiptail --noitem --title "Pin Bro CPUS" --checklist "Please Select $LBPROCS cores to pin Bro to:" 20 78 12 ${LISTCORES[@]} 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-
-}
-
-whiptail_bro_version() {
-
-  BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 78 4 "ZEEK" "Install Zeek (aka Bro)"  ON \
-  "COMMUNITY" "Install Community NSM" OFF "SURICATA" "SUPER EXPERIMENTAL" OFF 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_bond_nics() {
-
-  BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
-
-  while [ -z "$BNICS" ]
-  do
-    BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 )
-  done
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_bond_nics_mtu() {
-
-  # Set the MTU on the monitor interface
-  MTU=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter the MTU for the monitor NICs" 10 60 1500 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_cancel() {
-
-  whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 78
-  install_cleanup
-  exit
-
-}
-
-whiptail_check_exitstatus() {
-
-  if [ $1 == '1' ]; then
-    echo "They hit cancel"
-    whiptail_cancel
-  fi
-
-}
-
-whiptail_cur_close_days() {
-
-  CURCLOSEDAYS=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Please specify the threshold (in days) at which Elasticsearch indices will be closed" 10 60 $CURCLOSEDAYS 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-whiptail_enable_components() {
-  COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
-  "Select Components to install" 20 78 8 \
-  "GRAFANA" "Enable Grafana for system monitoring" ON \
-  "OSQUERY" "Enable Fleet with osquery" ON \
-  "WAZUH" "Enable Wazuh" ON \
-  "THEHIVE" "Enable TheHive" ON 3>&1 1>&2 2>&3 )
-}
-
-whiptail_eval_adv() {
-  EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
-  "Choose your eval install:" 20 78 4 \
-  "BASIC" "Install basic components for evaluation" ON  \
-  "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
-}
-
-whiptail_eval_adv_warning() {
-  whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78
-}
-
-whiptail_homenet_master() {
-
-  # Ask for the HOME_NET on the master
-  HNMASTER=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_homenet_sensor() {
-
-  # Ask to inherit from master
-  whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Master?" 8 78
-
-  local exitstatus=$?
-  if [ $exitstatus == 0 ]; then
-    HNSENSOR=inherit
-  else
-    HNSENSOR=$(whiptail --title "Security Onion Setup" --inputbox \
-    "Enter your HOME_NET separated by ," 10 60 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 3>&1 1>&2 2>&3)
-  fi
-
-}
-
-whiptail_install_type() {
-
-  # What kind of install are we doing?
-  INSTALLTYPE=$(whiptail --title "Security Onion Setup" --radiolist \
-  "Choose Install Type:" 20 78 14 \
-  "SENSORONLY" "Create a forward only sensor" ON \
-  "STORAGENODE" "Add a Storage Hot Node with parsing" OFF \
-  "MASTERONLY" "Start a new grid" OFF \
-  "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \
-  "HOTNODE" "TODO Add a Hot Node (Storage Node without Parsing)" OFF \
-  "WARMNODE" "TODO Add a Warm Node to an existing Hot or Storage node" OFF \
-  "EVALMODE" "Evaluate all the things" OFF \
-  "WAZUH" "TODO Stand Alone Wazuh Node" OFF \
-  "STRELKA" "TODO Stand Alone Strelka Node" OFF \
-  "FLEET" "TODO Stand Alone Fleet OSQuery Node" OFF 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_log_size_limit() {
-
-   LOG_SIZE_LIMIT=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage. \
-  By default, this is set to 85% of the disk space allotted for /nsm." 10 60 $LOG_SIZE_LIMIT 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-
-whiptail_management_nic() {
-
-  MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
-
-  while [ -z "$MNIC" ]
-  do
-    MNIC=$(whiptail --title "NIC Setup" --radiolist "Please select your management NIC" 20 78 12 ${NICS[@]} 3>&1 1>&2 2>&3 )
-  done
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_nids() {
-
-  NIDS=$(whiptail --title "Security Onion Setup" --radiolist \
-  "Choose which IDS to run:" 20 78 4 \
-  "Suricata" "Suricata 4.X" ON  \
-  "Snort" "Snort 3.0 Beta" OFF 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_oinkcode() {
-
-  OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter your oinkcode" 10 60 XXXXXXX 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_make_changes() {
-
-  whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $INSTALLTYPE. Please hit YES to make changes or NO to cancel." 8 78
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_management_server() {
-
-  MSRV=$(whiptail --title "Security Onion Setup" --inputbox \
-  "Enter your Master Server HOSTNAME. It is CASE SENSITIVE!" 10 60 XXXX 3>&1 1>&2 2>&3)
-
-  # See if it resolves. Otherwise prompt to add to host file
-  TESTHOST=$(host $MSRV)
-
-  if [[ $TESTHOST = *"not found"* ]]; then
-    add_master_hostfile
-  fi
-
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-# Ask if you want to do advanced setup of the Master
-whiptail_master_adv() {
-  MASTERADV=$(whiptail --title "Security Onion Setup" --radiolist \
-  "Choose what type of master install:" 20 78 4 \
-  "BASIC" "Install master with recommended settings" ON  \
-  "ADVANCED" "Do additional configuration to the master" OFF 3>&1 1>&2 2>&3 )
-}
-
-# Ask which additional components to install
-whiptail_master_adv_service_brologs() {
-
-  BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please Select Logs to Send:" 24 78 12 \
-  "conn" "Connection Logging" ON \
-  "dce_rpc" "RPC Logs" ON \
-  "dhcp" "DHCP Logs" ON \
-  "dhcpv6" "DHCP IPv6 Logs" ON \
-  "dnp3" "DNP3 Logs" ON \
-  "dns" "DNS Logs" ON \
-  "dpd" "DPD Logs" ON \
-  "files" "Files Logs" ON \
-  "ftp" "FTP Logs" ON \
-  "http" "HTTP Logs" ON \
-  "intel" "Intel Hits Logs" ON \
-  "irc" "IRC Chat Logs" ON \
-  "kerberos" "Kerberos Logs" ON \
-  "modbus" "MODBUS Logs" ON \
-  "mqtt" "MQTT Logs" ON \
-  "notice" "Zeek Notice Logs" ON \
-  "ntlm" "NTLM Logs" ON \
-  "openvpn" "OPENVPN Logs" ON \
-  "pe" "PE Logs" ON \
-  "radius" "Radius Logs" ON \
-  "rfb" "RFB Logs" ON \
-  "rdp" "RDP Logs" ON \
-  "signatures" "Signatures Logs" ON \
-  "sip" "SIP Logs" ON \
-  "smb_files" "SMB Files Logs" ON \
-  "smb_mapping" "SMB Mapping Logs" ON \
-  "smtp" "SMTP Logs" ON \
-  "snmp" "SNMP Logs" ON \
-  "software" "Software Logs" ON \
-  "ssh" "SSH Logs" ON \
-  "ssl" "SSL Logs" ON \
-  "syslog" "Syslog Logs" ON \
-  "telnet" "Telnet Logs" ON \
-  "tunnel" "Tunnel Logs" ON \
-  "weird" "Zeek Weird Logs" ON \
-  "mysql" "MySQL Logs" ON \
-  "socks" "SOCKS Logs" ON \
-  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
-}
-
-whiptail_network_notice() {
-
-  whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_advanced() {
-
-  NODESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
-  "What type of config would you like to use?:" 20 78 4 \
-  "NODEBASIC" "Install Storage Node with recommended settings" ON \
-  "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_es_heap() {
-
-  es_heapsize
-  NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
-  "\nEnter ES Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $ES_HEAP_SIZE 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_ls_heap() {
-
-  ls_heapsize
-  NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
-  "\nEnter LogStash Heap Size: \n \n(Recommended value is pre-populated)" 10 60 $LS_HEAP_SIZE 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_ls_pipeline_worker() {
-
-  LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \
-  "\nEnter LogStash Pipeline Workers: \n \n(Recommended value is pre-populated)" 10 60 $CPUCORES 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_ls_pipline_batchsize() {
-
-  LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \
-  "\nEnter LogStash Pipeline Batch Size: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_ls_input_threads() {
-
-  LSINPUTTHREADS=$(whiptail --title "Security Onion Setup" --inputbox \
-    "\nEnter LogStash Input Threads: \n \n(Default value is pre-populated)" 10 60 1 3>&1 1>&2 2>&3)
-
-    local exitstatus=$?
-    whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_ls_input_batch_count() {
-
-  LSINPUTBATCHCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
-  "\nEnter LogStash Input Batch Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_rule_setup() {
-
-  # Get pulled pork info
-  RULESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
-  "What IDS rules to use?:" 20 140 4 \
-  "ETOPEN" "Emerging Threats Open - no oinkcode required" ON \
-  "ETPRO" "Emerging Threats PRO - requires ETPRO oinkcode" OFF \
-  "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset - requires Snort Subscriber oinkcode" OFF \
-  "TALOS" "Snort Subscriber (Talos) ruleset only and set a Snort Subscriber policy - requires Snort Subscriber oinkcode" OFF 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_sensor_config() {
-
-  NSMSETUP=$(whiptail --title "Security Onion Setup" --radiolist \
-  "What type of configuration would you like to use?:" 20 78 4 \
-  "BASIC" "Install NSM components with recommended settings" ON \
-  "ADVANCED" "Configure each component individually" OFF 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_setup_complete() {
-
-  whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78
-  install_cleanup
-  exit
-
-}
-
-whiptail_setup_failed() {
-
-  whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78
-  install_cleanup
-  exit
-
-}
-
-whiptail_shard_count() {
-
-  SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
-  "\nEnter ES Shard Count: \n \n(Default value is pre-populated)" 10 60 125 3>&1 1>&2 2>&3)
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_suricata_pins() {
-
-  FILTEREDCORES=$(echo ${LISTCORES[@]} ${BROPINS[@]} | tr -d '"' | tr ' ' '\n' | sort | uniq -u | awk '{print $1 " \"" "core" "\""}')
-  SURIPINS=$(whiptail --noitem --title "Pin Suricata CPUS" --checklist "Please Select $LBPROCS cores to pin Suricata to:" 20 78 12 ${FILTEREDCORES[@]} 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_master_updates() {
-
-  MASTERUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \
-  "How would you like to download updates for your grid?:" 20 78 4 \
-  "MASTER" "Have the master node act as a proxy for OS/Docker updates." ON \
-  "OPEN" "Have each node connect to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_node_updates() {
-
-  NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \
-  "How would you like to download updates for this node?:" 20 78 4 \
-  "MASTER" "Download OS/Docker updates from the Master." ON \
-  "OPEN" "Download updates directly from the Internet" OFF 3>&1 1>&2 2>&3 )
-
-  local exitstatus=$?
-  whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_you_sure() {
-
-  whiptail --title "Security Onion Setup" --yesno "Are you sure you want to install Security Onion over the internet?" 8 78
-
-}
-
-########################
-##                    ##
-##   End Functions    ##
-##                    ##
-########################
-
-#####################
-##                 ##
-##    Let's Go!    ##
-##                 ##
-#####################
-
-# Check for prerequisites
-got_root
-detect_os
-
-if [ $OS == ubuntu ]; then
-  # Override the horrible Ubuntu whiptail color pallete
-  update-alternatives --set newt-palette /etc/newt/palette.original
-fi
-
-# Question Time
-if (whiptail_you_sure); then
-
-  # Create a temp dir to get started
-  install_prep
-
-  # Let folks know they need their management interface already set up.
-  whiptail_network_notice
-
-  # Go ahead and gen the keys so we can use them for any sensor type - Disabled for now
-  #minio_generate_keys
-
-  # What kind of install are we doing?
-  whiptail_install_type
-
-  ####################
-  ##     Master     ##
-  ####################
-
-  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
-
-    # Would you like to do an advanced install?
-    whiptail_master_adv
-
-    # Pick the Management NIC
-    whiptail_management_nic
-
-    # Choose Zeek or Community NSM
-    whiptail_bro_version
-
-    # Select Snort or Suricata
-    whiptail_nids
-
-    # Snag the HOME_NET
-    whiptail_homenet_master
-
-    # Pick your Ruleset
-    whiptail_rule_setup
-
-    # Get the code if it isn't ET Open
-    if [ $RULESETUP != 'ETOPEN' ]; then
-      # Get the code
-      whiptail_oinkcode
-    fi
-
-    # Find out how to handle updates
-    whiptail_master_updates
-    whiptail_enable_components
-    process_components
-
-    # Do Advacned Setup if they chose it
-    if [ $MASTERADV == 'ADVANCED' ]; then
-      # Ask which bro logs to enable - Need to add Suricata check
-      if [ $BROVERSION != 'SURICATA' ]; then
-        whiptail_master_adv_service_brologs
-      fi
-    fi
-
-    # Last Chance to back out
-    whiptail_make_changes
-    generate_passwords
-    auth_pillar
-    clear_master
-    mkdir -p /nsm
-    get_filesystem_root
-    get_filesystem_nsm
-    # Enable Bro Logs
-    bro_logs_enabled
-
-    # Figure out the main IP address
-    get_main_ip
-
-    # Add the user so we can sit back and relax
-    echo ""
-    echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
-    echo ""
-    add_socore_user_master
-
-    # Install salt and dependencies
-    {
-      sleep 0.5
-      echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
-      echo " ** Installing Salt and Dependencies **" >>~/sosetup.log
-      saltify >>~/sosetup.log 2>&1
-      echo -e "XXX\n5\nInstalling Docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
-      echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
-      echo " ** Configuring Minion **" >>~/sosetup.log
-      configure_minion master >>~/sosetup.log 2>&1
-      echo " ** Installing Salt Master **" >>~/sosetup.log
-      install_master >>~/sosetup.log 2>&1
-      salt_master_directories >>~/sosetup.log 2>&1
-      update_sudoers >>~/sosetup.log 2>&1
-      chown_salt_master >>~/sosetup.log 2>&1
-      es_heapsize >>~/sosetup.log 2>&1
-      ls_heapsize >>~/sosetup.log 2>&1
-      echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
-      master_static >>~/sosetup.log 2>&1
-      echo "** Generating the master pillar **" >>~/sosetup.log
-      master_pillar >>~/sosetup.log 2>&1
-      echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
-      # Do a checkin to push the key up
-      echo "** Pushing the key up to Master **" >>~/sosetup.log
-      salt_firstcheckin >>~/sosetup.log 2>&1
-      # Accept the Master Key
-      echo "** Accepting the key on the master **" >>~/sosetup.log
-      accept_salt_key_local >>~/sosetup.log 2>&1
-      echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
-      # Open the firewall
-      echo "** Setting the initial firewall policy **" >>~/sosetup.log
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
-      # Do the big checkin but first let them know it will take a bit.
-      echo -e "XXX\n40\nGenerating CA... \nXXX"
-      salt_checkin >>~/sosetup.log 2>&1
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
-      echo -e "XXX\n43\nInstalling Common Components... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
-      echo -e "XXX\n45\nApplying firewall rules... \nXXX"
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
-      salt-call state.apply master >>~/sosetup.log 2>&1
-      salt-call state.apply idstools >>~/sosetup.log 2>&1
-      echo -e "XXX\n40\nInstalling Redis... \nXXX"
-      salt-call state.apply redis >>~/sosetup.log 2>&1
-      if [[ $OSQUERY == '1' ]]; then
-        echo -e "XXX\n41\nInstalling MySQL... \nXXX"
-        salt-call state.apply mysql >>~/sosetup.log 2>&1
-      fi
-      echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
-      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
-      salt-call state.apply logstash >>~/sosetup.log 2>&1
-      salt-call state.apply kibana >>~/sosetup.log 2>&1
-      salt-call state.apply elastalert >>~/sosetup.log 2>&1
-      if [[ $WAZUH == '1' ]]; then
-        echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
-        salt-call state.apply wazuh >>~/sosetup.log 2>&1
-      fi
-      echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
-      salt-call state.apply filebeat >>~/sosetup.log 2>&1
-      salt-call state.apply utility >>~/sosetup.log 2>&1
-      salt-call state.apply schedule >>~/sosetup.log 2>&1
-      if [[ $OSQUERY == '1' ]]; then
-        echo -e "XXX\n79\nInstalling Fleet... \nXXX"
-        salt-call state.apply fleet >>~/sosetup.log 2>&1
-        salt-call state.apply launcher >>~/sosetup.log 2>&1
-      fi
-      echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
-      salt-call state.apply soctopus >>~/sosetup.log 2>&1
-      if [[ $THEHIVE == '1' ]]; then
-        echo -e "XXX\n87\nInstalling TheHive... \nXXX"
-        salt-call state.apply hive >>~/sosetup.log 2>&1
-      fi
-      echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
-      checkin_at_boot >>~/sosetup.log 2>&1
-      echo -e "XXX\n95\nVerifying Install... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
-
-    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
-    if [[ $GOODSETUP == '0' ]]; then
-      whiptail_setup_complete
-    else
-      whiptail_setup_failed
-    fi
-
-  fi
-
-  ####################
-  ##     Sensor     ##
-  ####################
-
-  if [ $INSTALLTYPE == 'SENSORONLY' ]; then
-    whiptail_management_nic
-    filter_nics
-    whiptail_bond_nics
-    whiptail_management_server
-    whiptail_master_updates
-    set_updates
-    whiptail_homenet_sensor
-    whiptail_sensor_config
-    # Calculate lbprocs so we can call it in the prompts
-    calculate_useable_cores
-    if [ $NSMSETUP == 'ADVANCED' ]; then
-      whiptail_bro_pins
-      whiptail_suricata_pins
-      whiptail_bond_nics_mtu
-    else
-      whiptail_basic_bro
-      whiptail_basic_suri
-    fi
-    whiptail_make_changes
-    clear_master
-    mkdir -p /nsm
-    get_filesystem_root
-    get_filesystem_nsm
-    copy_ssh_key
-    {
-      sleep 0.5
-      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
-      echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
-      create_bond >>~/sosetup.log 2>&1
-      echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
-      sensor_pillar >>~/sosetup.log 2>&1
-      echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
-      saltify >>~/sosetup.log 2>&1
-      echo -e "XXX\n20\nInstalling Docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
-      echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
-      configure_minion sensor >>~/sosetup.log 2>&1
-      echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
-      copy_minion_pillar sensors >>~/sosetup.log 2>&1
-      echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
-      salt_firstcheckin >>~/sosetup.log 2>&1
-      echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
-      # Accept the Salt Key
-      accept_salt_key_remote >>~/sosetup.log 2>&1
-      echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
-      echo -e "XXX\n35\nInstalling Core Components... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
-      echo -e "XXX\n50\nInstalling PCAP... \nXXX"
-      salt-call state.apply pcap >>~/sosetup.log 2>&1
-      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
-      salt-call state.apply suricata >>~/sosetup.log 2>&1
-      echo -e "XXX\n80\nVerifying Install... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
-      checkin_at_boot >>~/sosetup.log 2>&1
-    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
-    if [[ $GOODSETUP == '0' ]]; then
-      whiptail_setup_complete
-    else
-      whiptail_setup_failed
-    fi
-  fi
-
-  #######################
-  ##     Eval Mode     ##
-  #######################
-
-  if [ $INSTALLTYPE == 'EVALMODE' ]; then
-    # Select the management NIC
-    whiptail_management_nic
-
-    # Filter out the management NIC
-    filter_nics
-
-    # Select which NICs are in the bond
-    whiptail_bond_nics
-
-    # Snag the HOME_NET
-    whiptail_homenet_master
-    whiptail_eval_adv_warning
-    whiptail_enable_components
-
-    # Set a bunch of stuff since this is eval
-    es_heapsize
-    ls_heapsize
-    NODE_ES_HEAP_SIZE="600m"
-    NODE_LS_HEAP_SIZE="2000m"
-    LSPIPELINEWORKERS=1
-    LSPIPELINEBATCH=125
-    LSINPUTTHREADS=1
-    LSINPUTBATCHCOUNT=125
-    RULESETUP=ETOPEN
-    NSMSETUP=BASIC
-    NIDS=Suricata
-    BROVERSION=ZEEK
-    CURCLOSEDAYS=30
-    process_components
-    whiptail_make_changes
-    #eval_mode_hostsfile
-    generate_passwords
-    auth_pillar
-    clear_master
-    mkdir -p /nsm
-    get_filesystem_root
-    get_filesystem_nsm
-    get_log_size_limit
-    get_main_ip
-    # Add the user so we can sit back and relax
-    echo ""
-    echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
-    echo ""
-    add_socore_user_master
-    {
-      sleep 0.5
-      echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
-      create_bond >>~/sosetup.log 2>&1
-      echo -e "XXX\n1\nInstalling saltstack... \nXXX"
-      saltify >>~/sosetup.log 2>&1
-      echo -e "XXX\n3\nInstalling docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
-      echo -e "XXX\n5\nInstalling master code... \nXXX"
-      install_master >>~/sosetup.log 2>&1
-      echo -e "XXX\n6\nCopying salt code... \nXXX"
-      salt_master_directories >>~/sosetup.log 2>&1
-      echo -e "XXX\n6\nupdating suduers... \nXXX"
-      update_sudoers >>~/sosetup.log 2>&1
-      echo -e "XXX\n7\nFixing some permissions... \nXXX"
-      chown_salt_master >>~/sosetup.log 2>&1
-      echo -e "XXX\n7\nCreating the static pillar... \nXXX"
-      # Set the static values
-      master_static >>~/sosetup.log 2>&1
-      echo -e "XXX\n7\nCreating the master pillar... \nXXX"
-      master_pillar >>~/sosetup.log 2>&1
-      echo -e "XXX\n7\nConfiguring minion... \nXXX"
-      configure_minion eval >>~/sosetup.log 2>&1
-      echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
-      set_node_type >>~/sosetup.log 2>&1
-      echo -e "XXX\n7\nStorage node pillar... \nXXX"
-      node_pillar >>~/sosetup.log 2>&1
-      echo -e "XXX\n8\nCreating firewall policies... \nXXX"
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
-      echo -e "XXX\n10\nRegistering agent... \nXXX"
-      salt_firstcheckin >>~/sosetup.log 2>&1
-      echo -e "XXX\n11\nAccepting Agent... \nXXX"
-      accept_salt_key_local >>~/sosetup.log 2>&1
-      echo -e "XXX\n12\nRunning the SSL states... \nXXX"
-      salt_checkin >>~/sosetup.log 2>&1
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
-      echo -e "XXX\n15\nInstalling core components... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
-      echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
-      echo -e "XXX\n25\nInstalling master components... \nXXX"
-      salt-call state.apply master >>~/sosetup.log 2>&1
-      salt-call state.apply idstools >>~/sosetup.log 2>&1
-      if [[ $OSQUERY == '1' ]]; then
-        salt-call state.apply mysql >>~/sosetup.log 2>&1
-      fi
-      echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
-      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
-      echo -e "XXX\n40\nInstalling Logstash... \nXXX"
-      salt-call state.apply logstash >>~/sosetup.log 2>&1
-      echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX"
-      salt-call state.apply kibana >>~/sosetup.log 2>&1
-      echo -e "XXX\n50\nInstalling pcap... \nXXX"
-      salt-call state.apply pcap >>~/sosetup.log 2>&1
-      echo -e "XXX\n52\nInstalling Suricata... \nXXX"
-      salt-call state.apply suricata >>~/sosetup.log 2>&1
-      echo -e "XXX\n54\nInstalling Zeek... \nXXX"
-      salt-call state.apply bro >>~/sosetup.log 2>&1
-      echo -e "XXX\n56\nInstalling curator... \nXXX"
-      salt-call state.apply curator >>~/sosetup.log 2>&1
-      echo -e "XXX\n58\nInstalling elastalert... \nXXX"
-      salt-call state.apply elastalert >>~/sosetup.log 2>&1
-      if [[ $OSQUERY == '1' ]]; then
-        echo -e "XXX\n60\nInstalling fleet... \nXXX"
-        salt-call state.apply fleet >>~/sosetup.log 2>&1
-        salt-call state.apply redis >>~/sosetup.log 2>&1
-      fi
-      if [[ $WAZUH == '1' ]]; then
-        echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
-        salt-call state.apply wazuh >>~/sosetup.log 2>&1
-      fi
-      echo -e "XXX\n85\nInstalling filebeat... \nXXX"
-      salt-call state.apply filebeat >>~/sosetup.log 2>&1
-      salt-call state.apply utility >>~/sosetup.log 2>&1
-      echo -e "XXX\n95\nInstalling misc components... \nXXX"
-      salt-call state.apply schedule >>~/sosetup.log 2>&1
-      salt-call state.apply soctopus >>~/sosetup.log 2>&1
-      if [[ $THEHIVE == '1' ]]; then
-        salt-call state.apply hive >>~/sosetup.log 2>&1
-      fi
-      echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
-      checkin_at_boot >>~/sosetup.log 2>&1
-      echo -e "XXX\n99\nVerifying Setup... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
-
-    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
-    if [ $OS == 'centos' ]; then
-      if [[ $GOODSETUP == '1' ]]; then
-        whiptail_setup_complete
-      else
-        whiptail_setup_failed
-      fi
-    else
-      if [[ $GOODSETUP == '0' ]]; then
-        whiptail_setup_complete
-      else
-        whiptail_setup_failed
-      fi
-    fi
-  fi
-
-  ###################
-  ##     Nodes     ##
-  ###################
-
-  if [ $INSTALLTYPE == 'STORAGENODE' ] || [ $INSTALLTYPE == 'PARSINGNODE' ] || [ $INSTALLTYPE == 'HOTNODE' ] || [ $INSTALLTYPE == 'WARMNODE' ]; then
-    whiptail_management_nic
-    whiptail_management_server
-    whiptail_master_updates
-    set_updates
-    get_log_size_limit
-    CURCLOSEDAYS=30
-    es_heapsize
-    ls_heapsize
-    whiptail_node_advanced
-    if [ $NODESETUP == 'NODEADVANCED' ]; then
-      whiptail_node_es_heap
-      whiptail_node_ls_heap
-      whiptail_node_ls_pipeline_worker
-      whiptail_node_ls_pipline_batchsize
-      whiptail_node_ls_input_threads
-      whiptail_node_ls_input_batch_count
-      whiptail_cur_close_days
-      whiptail_log_size_limit
-    else
-      NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
-      NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
-      LSPIPELINEWORKERS=$CPUCORES
-      LSPIPELINEBATCH=125
-      LSINPUTTHREADS=1
-      LSINPUTBATCHCOUNT=125
-    fi
-    whiptail_make_changes
-    clear_master
-    mkdir -p /nsm
-    get_filesystem_root
-    get_filesystem_nsm
-    copy_ssh_key
-    {
-      sleep 0.5
-      echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
-      set_initial_firewall_policy >>~/sosetup.log 2>&1
-      echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
-      saltify >>~/sosetup.log 2>&1
-      echo -e "XXX\n20\nInstalling Docker... \nXXX"
-      docker_install >>~/sosetup.log 2>&1
-      echo -e "XXX\n30\nInitializing Minion... \nXXX"
-      configure_minion node >>~/sosetup.log 2>&1
-      set_node_type >>~/sosetup.log 2>&1
-      node_pillar >>~/sosetup.log 2>&1
-      copy_minion_pillar nodes >>~/sosetup.log 2>&1
-      echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
-      salt_firstcheckin >>~/sosetup.log 2>&1
-      # Accept the Salt Key
-      accept_salt_key_remote >>~/sosetup.log 2>&1
-      echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
-      salt-call state.apply ca >>~/sosetup.log 2>&1
-      salt-call state.apply ssl >>~/sosetup.log 2>&1
-      echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
-      salt-call state.apply common >>~/sosetup.log 2>&1
-      salt-call state.apply firewall >>~/sosetup.log 2>&1
-      echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
-      salt-call state.apply logstash >>~/sosetup.log 2>&1
-      salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
-      salt-call state.apply curator >>~/sosetup.log 2>&1
-      salt-call state.apply filebeat >>~/sosetup.log 2>&1
-      echo -e "XXX\n90\nVerifying Install... \nXXX"
-      salt-call state.highstate >>~/sosetup.log 2>&1
-      checkin_at_boot >>~/sosetup.log 2>&1
-
-    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
-    GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
-    if [[ $GOODSETUP == '0' ]]; then
-      whiptail_setup_complete
-    else
-      whiptail_setup_failed
-    fi
-
-    set_initial_firewall_policy
-    saltify
-    docker_install
-    configure_minion node
-    set_node_type
-    node_pillar
-    copy_minion_pillar nodes
-    salt_checkin
-    # Accept the Salt Key
-    accept_salt_key_remote
-    # Do the big checkin but first let them know it will take a bit.
-    salt_checkin_message
-    salt_checkin
-    checkin_at_boot
-
-    whiptail_setup_complete
-  fi
-
-else
-    exit
-fi

From c4a917994659b86d21a8118db6eb6b18a2681962 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 16 Jul 2019 09:15:21 -0400
Subject: [PATCH 52/66] Core Module - Remove auth for grafana

---
 salt/common/nginx/nginx.conf.so-eval   | 2 --
 salt/common/nginx/nginx.conf.so-master | 2 --
 2 files changed, 4 deletions(-)

diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index 5c924110c..a4a7e05e5 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -88,8 +88,6 @@ http {
     #    }
 
         location /grafana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index 7f922d72a..c544857a0 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -88,8 +88,6 @@ http {
     #    }
 
         location /grafana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
 	  rewrite /grafana/(.*) /$1 break;
           proxy_pass http://{{ masterip }}:3000/;
           proxy_read_timeout    90;

From 582713d0279eb606775ea9f58db24b541a6be0e0 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 16 Jul 2019 11:03:12 -0400
Subject: [PATCH 53/66] Bro Module - Fix local.bro

---
 salt/bro/files/local.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/bro/files/local.bro b/salt/bro/files/local.bro
index 236f855bf..42112f7ee 100644
--- a/salt/bro/files/local.bro
+++ b/salt/bro/files/local.bro
@@ -100,7 +100,7 @@
 
 # Uncomment the following line to enable the SMB analyzer.  The analyzer
 # is currently considered a preview and therefore not loaded by default.
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Add the interface to the log event
 #@load securityonion/add-interface-to-logs.bro

From b83efb51efbc03b59f7bf5a73515bb270a3cc76e Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Jul 2019 10:23:17 -0400
Subject: [PATCH 54/66] Core Module - Add rewrites

---
 salt/common/init.sls                 |  2 +-
 salt/common/nginx/nginx.conf.so-eval | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/salt/common/init.sls b/salt/common/init.sls
index 9ea7c34d4..b61a0b7e9 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -116,7 +116,7 @@ nginxtmp:
 # Start the core docker
 so-coreimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7
+   - name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.1.0
 
 so-core:
   docker_container.running:
diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index a4a7e05e5..06ec0e023 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -164,6 +164,7 @@ http {
           proxy_set_header      Proxy "";
 
         }
+
         location /sensoroni/ {
           auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
@@ -177,6 +178,18 @@ http {
 
         }
 
+        location /kibana/app/sensoroni/ {
+          rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
         location /sensoroniagents/ {
           proxy_pass http://{{ masterip }}:9822/;
           proxy_read_timeout    90;

From c36a1411423300146accf9ce399b31dbc8e37871 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Jul 2019 10:24:31 -0400
Subject: [PATCH 55/66] Core Module - Add rewrites

---
 salt/common/nginx/nginx.conf.so-master | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index c544857a0..aa4fff1d1 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -177,6 +177,19 @@ http {
           proxy_set_header      Proxy "";
 
         }
+        
+        location /kibana/app/sensoroni/ {
+          rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
+        }
+
+        location /kibana/app/fleet/ {
+          rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
+        }
+
+        location /kibana/app/soctopus/ {
+          rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
+        }
+
 
         location /sensoroniagents/ {
           proxy_pass http://{{ masterip }}:9822/;

From f08fe5f6770767aa4e543efe8bac86b8e3dffb0c Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 17 Jul 2019 11:20:08 -0400
Subject: [PATCH 56/66] Fleet Module - Update container version

---
 salt/fleet/so-fleet-setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh
index 85f8716e1..817ffaf99 100644
--- a/salt/fleet/so-fleet-setup.sh
+++ b/salt/fleet/so-fleet-setup.sh
@@ -27,7 +27,7 @@ mkdir /opt/so/conf/fleet/packages
 docker run \
   --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
   --mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
-  soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080
+  soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8080
 
 cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
 #Update timestamp on packages webpage

From 78213e5074f9786e369ad61429bf317c6f1d25e9 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 22 Jul 2019 10:12:21 -0400
Subject: [PATCH 57/66] Hive Module - Remove force

---
 salt/hive/init.sls | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/salt/hive/init.sls b/salt/hive/init.sls
index 7d3862782..3fc364e4e 100644
--- a/salt/hive/init.sls
+++ b/salt/hive/init.sls
@@ -97,8 +97,7 @@ so-thehive:
       - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro
     - port_bindings:
       - 0.0.0.0:9000:9000
-    - force: true
-
+    
 hivescript:
   cmd.script:
     - source: salt://hive/thehive/scripts/hive_init.sh

From 1e62e78bd93860b41b1dec05c9bef0a191a59955 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 22 Jul 2019 12:46:04 -0400
Subject: [PATCH 58/66] Core Module - Fix the auth for eval

---
 salt/common/nginx/nginx.conf.so-eval | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index 06ec0e023..2f8246d30 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -141,6 +141,9 @@ http {
         }
 
         location /thehive/ {
+          satisfy any;
+          allow {{ masterip }};
+          deny all;
           auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9000/thehive/;

From ab3a7aec0017f4a2a2d92d1fbdba18f6253c4462 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 22 Jul 2019 12:57:58 -0400
Subject: [PATCH 59/66] Core Module - Fix the auth for master

---
 salt/common/nginx/nginx.conf.so-master | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index aa4fff1d1..1f4fceffa 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -141,6 +141,9 @@ http {
         }
 
         location /thehive/ {
+          satisfy any;
+          allow {{ masterip }};
+          deny all;
           auth_basic            "Security Onion";
           auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9000/thehive/;
@@ -177,7 +180,7 @@ http {
           proxy_set_header      Proxy "";
 
         }
-        
+
         location /kibana/app/sensoroni/ {
           rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
         }

From 8804a434630c2e2b6bbb8ce87c506f7fec47a956 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 23 Jul 2019 10:08:09 -0400
Subject: [PATCH 60/66] Firewall Module - Add so-allow

---
 pillar/firewall/wazuh_endpoint.sls |   2 +
 salt/common/tools/sbin/so-allow    |  42 ++++++++++
 salt/firewall/init.sls             | 127 +++++++++++++++++------------
 3 files changed, 121 insertions(+), 50 deletions(-)
 create mode 100644 pillar/firewall/wazuh_endpoint.sls
 create mode 100644 salt/common/tools/sbin/so-allow

diff --git a/pillar/firewall/wazuh_endpoint.sls b/pillar/firewall/wazuh_endpoint.sls
new file mode 100644
index 000000000..d5d1a52f8
--- /dev/null
+++ b/pillar/firewall/wazuh_endpoint.sls
@@ -0,0 +1,2 @@
+wazuh_endpoint:
+  - 127.0.0.1
diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
new file mode 100644
index 000000000..1685e386a
--- /dev/null
+++ b/salt/common/tools/sbin/so-allow
@@ -0,0 +1,42 @@
+#!/bin/bash
+got_root() {
+
+  # Make sure you are root
+  if [ "$(id -u)" -ne 0 ]; then
+          echo "This script must be run using sudo!"
+          exit 1
+  fi
+
+}
+
+got_root
+
+echo "This program allows you to add a firewall rule to allow connections from a new IP address."
+echo ""
+echo "Choose the role for the IP or Range you would like to add"
+echo ""
+echo "[a] - Analyst - ports 80/tcp and 443/tcp"
+echo "[b] - Logstash Beat - port 5044/tcp"
+echo "[o] - Osquery endpoint - port 8080/tcp"
+echo "[w] - Wazuh endpoint - port 1514"
+echo ""
+echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+read ROLE
+echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
+read IP
+
+if [ "$ROLE" == "a" ]; then
+  FULLROLE=analyst
+elif [ "$ROLE" == "b" ]; then
+  FULLROLE=beats_endpoint
+elif [ "$ROLE" == "o" ]; then
+  FULLROLE=osquery_endpoint
+elif [ "$ROLE" == "w" ]; then
+  FULLROLE=wazuh_endpoint
+else
+  echo "I don't recognize that role"
+  exit 1
+fi
+
+echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
+/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index bd6a4ebe2..7044699f0 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -408,6 +408,33 @@ enable_standard_osquery_8080_{{ip}}:
 
 {% endfor %}
 
+# Allow Wazuh Endpoints to send their traffic
+{% for ip in pillar.get('wazuh_endpoint')  %}
+
+enable_wazuh_endpoint_tcp_1514_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+enable_wazuh_endpoint_udp_1514_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: udp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+{% endfor %}
+
 # Allow Analysts
 {% for ip in pillar.get('analyst')  %}
 
@@ -433,61 +460,61 @@ enable_standard_analyst_443_{{ip}}:
     - position: 1
     - save: True
 
-enable_standard_analyst_3000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 3000
-    - position: 1
-    - save: True
+#enable_standard_analyst_3000_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 3000
+#    - position: 1
+#    - save: True
 
-enable_standard_analyst_7000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 7000
-    - position: 1
-    - save: True
+#enable_standard_analyst_7000_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 7000
+#    - position: 1
+#    - save: True
 
-enable_standard_analyst_9000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9000
-    - position: 1
-    - save: True
+#enable_standard_analyst_9000_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 9000
+#    - position: 1
+#    - save: True
 
-enable_standard_analyst_9001_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9001
-    - position: 1
-    - save: True
+#enable_standard_analyst_9001_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 9001
+#    - position: 1
+#    - save: True
 
 # This is temporary for sensoroni testing
-enable_standard_analyst_9822_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9822
-    - position: 1
-    - save: True
+#enable_standard_analyst_9822_{{ip}}:
+#  iptables.insert:
+#    - table: filter
+#    - chain: DOCKER-USER
+#    - jump: ACCEPT
+#    - proto: tcp
+#    - source: {{ ip }}
+#    - dport: 9822
+#    - position: 1
+#    - save: True
 
 {% endfor %}
 

From c3224283f52adfccd1020a288994751f700c6ea5 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 23 Jul 2019 12:16:14 -0400
Subject: [PATCH 61/66] Removed unused bond function and attempted to fix error
 logging for new nmcli bond creation.

---
 so-setup-network.sh | 102 +-------------------------------------------
 1 file changed, 2 insertions(+), 100 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 55fff5e70..18f86c2c8 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -259,8 +259,7 @@ create_bond_nmcli() {
       ipv4.method disabled \
       ipv6.method link-local \
       ethernet.mtu $MTU \
-      connection.autoconnect "yes" \
-      >> $SETUPLOG 2>&1
+      connection.autoconnect "yes" >> $SETUPLOG 2>&1
 
     for BNIC in ${BNICS[@]}; do
       # Strip the quotes from the NIC names
@@ -268,109 +267,12 @@ create_bond_nmcli() {
       # Create the slave interface and assign it to the bond
       nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \
       ethernet.mtu $MTU \
-      connection.autoconnect "yes" \
-      >> $SETUPLOG 2>&1
+      connection.autoconnect "yes" >> $SETUPLOG 2>&1
       # Bring the slave interface up
       nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
     done
 }
 
-create_bond() {
-
-  # Create the bond interface
-  echo "Setting up Bond" >> $SETUPLOG 2>&1
-
-  # Set the MTU
-  if [ $NSMSETUP != 'ADVANCED' ]; then
-    MTU=1500
-  fi
-
-  # Do something different based on the OS
-  if [ $OS == 'centos' ]; then
-    modprobe --first-time bonding
-    touch /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "DEVICE=bond0" > /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "NAME=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "Type=Bond" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-    echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-bond0
-
-    # Create Bond configs for the selected monitor interface
-    for BNIC in ${BNICS[@]}; do
-      BONDNIC="${BNIC%\"}"
-      BONDNIC="${BONDNIC#\"}"
-      sed -i 's/ONBOOT=no/ONBOOT=yes/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-      echo "MASTER=bond0" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-      echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-      echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
-    done
-    nmcli con reload >> $SETUPLOG 2>&1
-    systemctl restart network >> $SETUPLOG 2>&1
-
-  else
-
-    # Need to add 17.04 support still
-    apt-get -y install ifenslave >> $SETUPLOG 2>&1
-    if ! grep -q bonding /etc/modules; then
-      echo "bonding" >> /etc/modules
-    fi
-    modprobe bonding >> $SETUPLOG 2>&1
-
-    local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
-    local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
-
-    # Backup and create a new interface file
-    cp /etc/network/interfaces /etc/network/interfaces.sosetup
-    echo "source /etc/network/interfaces.d/*" > /etc/network/interfaces
-    echo "" >> /etc/network/interfaces
-
-    # Let's set up the new interface file
-    # Populate lo and create file for the management interface
-    IFS=$'\n'
-    for line in $LBACK
-    do
-      echo $line >> /etc/network/interfaces
-    done
-
-    IFS=$'\n'
-    for line in $MINT
-    do
-      echo $line >> /etc/network/interfaces.d/$MNIC
-    done
-
-    # Create entries for each interface that is part of the bond.
-    for BNIC in ${BNICS[@]}; do
-
-      BNIC=$(echo $BNIC |  cut -d\" -f2)
-      echo "auto $BNIC" >> /etc/network/interfaces.d/$BNIC
-      echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
-      echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
-      echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
-      echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
-      echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
-      echo "  bond-master bond0" >> /etc/network/interfaces.d/$BNIC
-      echo "  mtu $MTU" >> /etc/network/interfaces.d/$BNIC
-
-    done
-
-    BN=("${BNICS[@]//\"/}")
-
-    echo "auto bond0" > /etc/network/interfaces.d/bond0
-    echo "iface bond0 inet manual" >> /etc/network/interfaces.d/bond0
-    echo "  bond-mode 0" >> /etc/network/interfaces.d/bond0
-    echo "  bond-slaves $BN" >> /etc/network/interfaces.d/bond0
-    echo "  mtu $MTU" >> /etc/network/interfaces.d/bond0
-    echo "  up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
-    echo "  down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
-    echo "  post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
-    echo "  post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
-  fi
-
-}
-
 detect_os() {
 
   # Detect Base OS

From 9f48ea683c6f44378348285f0bbddc335e36efaa Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 24 Jul 2019 09:05:08 -0400
Subject: [PATCH 62/66] Common Module - remove auth for thehive

---
 salt/common/nginx/nginx.conf.so-eval   | 5 -----
 salt/common/nginx/nginx.conf.so-master | 5 -----
 2 files changed, 10 deletions(-)

diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index 2f8246d30..3230e8edd 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -141,11 +141,6 @@ http {
         }
 
         location /thehive/ {
-          satisfy any;
-          allow {{ masterip }};
-          deny all;
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master
index 1f4fceffa..7999a7027 100644
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -141,11 +141,6 @@ http {
         }
 
         location /thehive/ {
-          satisfy any;
-          allow {{ masterip }};
-          deny all;
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
           proxy_pass http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;

From 9885e188a10e30088813c32270f05f7583875619 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 25 Jul 2019 10:50:43 -0400
Subject: [PATCH 63/66] Setup Script - Remove reboot since it messed with the
 hive

---
 so-setup-network.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 18f86c2c8..24a1ddf5b 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -1397,7 +1397,7 @@ whiptail_sensor_config() {
 
 whiptail_setup_complete() {
 
-  whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78
+  whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE." 8 78
   install_cleanup
   exit
 

From 1fc389a1b964d52a0d303707cf8ea5081caefa75 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 25 Jul 2019 12:49:54 -0400
Subject: [PATCH 64/66] idstools module - add cron job to update rules

---
 salt/common/tools/sbin/so-ruleupdate | 13 +++++++++++++
 salt/idstools/init.sls               | 13 +++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 salt/common/tools/sbin/so-ruleupdate

diff --git a/salt/common/tools/sbin/so-ruleupdate b/salt/common/tools/sbin/so-ruleupdate
new file mode 100644
index 000000000..f50d49322
--- /dev/null
+++ b/salt/common/tools/sbin/so-ruleupdate
@@ -0,0 +1,13 @@
+#!/bin/bash
+got_root() {
+
+  # Make sure you are root
+  if [ "$(id -u)" -ne 0 ]; then
+          echo "This script must be run using sudo!"
+          exit 1
+  fi
+
+}
+
+got_root
+docker exec -it so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat'
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 7878f4f77..2d021ee10 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -21,6 +21,13 @@ idstoolsdir:
     - group: 939
     - makedirs: True
 
+idstoolslogdir:
+  file.directory:
+    - name: /opt/so/log/idstools
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 idstoolsetcsync:
   file.recurse:
     - name: /opt/so/conf/idstools/etc
@@ -29,6 +36,12 @@ idstoolsetcsync:
     - group: 939
     - template: jinja
 
+/usr/sbin/so-ruleupdate.sh > /opt/so/log/idstools/download.log:
+  cron.present:
+    - user: root
+    - minute: '1'
+    - hour: '7'
+
 rulesdir:
   file.directory:
     - name: /opt/so/rules/nids

From a9370ea8867a6af662b530ecf1898508f9eb0e05 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 25 Jul 2019 13:31:26 -0400
Subject: [PATCH 65/66] idstools module - Fix script name

---
 salt/common/tools/sbin/{so-ruleupdate => so-rule-update} | 0
 salt/idstools/init.sls                                   | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename salt/common/tools/sbin/{so-ruleupdate => so-rule-update} (100%)

diff --git a/salt/common/tools/sbin/so-ruleupdate b/salt/common/tools/sbin/so-rule-update
similarity index 100%
rename from salt/common/tools/sbin/so-ruleupdate
rename to salt/common/tools/sbin/so-rule-update
diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls
index 2d021ee10..cabd0ee73 100644
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -36,7 +36,7 @@ idstoolsetcsync:
     - group: 939
     - template: jinja
 
-/usr/sbin/so-ruleupdate.sh > /opt/so/log/idstools/download.log:
+/usr/sbin/so-rule-update.sh > /opt/so/log/idstools/download.log:
   cron.present:
     - user: root
     - minute: '1'

From 1965e3f0378edaa122eae3649a935cac5167b496 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 25 Jul 2019 15:53:45 -0400
Subject: [PATCH 66/66] Update Readme. Welcome to Alpha

---
 README.md | 29 +++++++++++++----------------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 4da7ca79e..783109781 100644
--- a/README.md
+++ b/README.md
@@ -1,21 +1,18 @@
-## Hybrid Hunter 1.0.8 
+## Hybrid Hunter Alpha 1.1.0
 
 ### Changes:
-
-- Suricata 4.1.4
-- Eval and Master installs now ask which components you would like to install
-- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion)
-- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu
-- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package
-- We now have a progress bar during install!
-- The setup script will now tell you if it was successful
-- Added Grafana plugin Pie Chart
-- The Hive Docker moved to Centos 7 based container
-
-### Notes:
-- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release.
-- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.
-
+- Alpha is here!! Check out the [[Hybrid Hunter Quick Start Guide|Hybrid-Hunter-Quick-Start-Guide]].
+- There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). Pivoting is done via Kibana. See details [[here|Pulling-PCAP]].
+- Bond interface setup now uses `nmcli` for better compatibility in the network based setup script.
+- Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions.
+- Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components.
+- Add users to the web interface via `so-user-add` and follow the prompts.
+- `so-allow` now exists to make your life easier.
+- Bro 2.6.2.
+- All Docker images were updated to reflect Alpha status.
+- Disabled DEBUG logging on a lot of components to reduce space usage.
+- Added a rule update cron job so the master pulls new rules down every day at 7AM UTC.
+- You can now manually run a rule update using the `so-rule-update` command.
 
 ### Warnings and Disclaimers